Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Splunk Search
×
Join the Conversation
Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- How to calculate Max, Min, Avg for duration of a t...
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
amunag439
Explorer
07-03-2019
11:50 AM
I'm calculating the time difference between two events by using Transaction and Duration. Below is the query that I used to get the duration between two events Model and Response
host=* sourcetype=** source="*/example.log" "Model*" OR "Response*"
| transaction traceId startswith="Model" endswith="Response" | eval dur=duration
| eval time_taken=tostring(dur,"duration") | table traceId time_taken _time
And the result would be similar to
traceId | time_take | _time
trace_1681692777 | 00:00:0.451 | 2019-07-03 15:52:02.537
trace_1681692779 | 00:00:1.921 | 2019-07-03 15:55:00.129
trace_1681692780 | 00:00:3.981 | 2019-07-03 15:59:01.754
Using the above data, I want to get the max, min and avg time_taken values. I tried using stats min(dur) as min, etc and eval but was not successful. How do I achieve this?
1 Solution
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
woodcock
Esteemed Legend
07-03-2019
11:57 AM
Like this:
index=YouShouldAlwaysSpecifyAnIndex AND sourcetype=AndSourcetypeToo AND host=* AND source="*/example.log" AND ("Model*" OR "Response*")
| transaction traceId startswith="Model" endswith="Response"
| eventstats min(duration) As min_dur max(duration) AS max_dur avg(duration) AS avg_dur
| rename duration AS time_taken
| fieldformat time_taken = tostring(duration,"duration")
| table traceId time_taken _time *_dur
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
woodcock
Esteemed Legend
07-03-2019
11:57 AM
Like this:
index=YouShouldAlwaysSpecifyAnIndex AND sourcetype=AndSourcetypeToo AND host=* AND source="*/example.log" AND ("Model*" OR "Response*")
| transaction traceId startswith="Model" endswith="Response"
| eventstats min(duration) As min_dur max(duration) AS max_dur avg(duration) AS avg_dur
| rename duration AS time_taken
| fieldformat time_taken = tostring(duration,"duration")
| table traceId time_taken _time *_dur
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
amunag439
Explorer
07-03-2019
12:32 PM
Works like a charm. Thank you
Get Updates on the Splunk Community!
Your Guide to Splunk Digital Experience Monitoring
A flawless digital experience isn't just an advantage, it's key to customer loyalty and business success. But ...
Data Management Digest – November 2025
Welcome to the inaugural edition of Data Management Digest!
As your trusted partner in data innovation, the ...
Upcoming Webinar: Unmasking Insider Threats with Slunk Enterprise Security’s UEBA
Join us on Wed, Dec 10. at 10AM PST / 1PM EST for a live webinar and demo with Splunk experts! Discover how ...
