Splunk Search

How to calculate the average time in a URL?

rosho
Communicator

Hi
I want to calculate the average time of being in a URL.
This SPL shows me the time spent in a URL, but NOT the average

index=fortigate 
| transaction url
| table duration, url

This other SPL gives me the Total average. It is NOT by url

index=fortigate 
| transaction url
| stats avg(duration) AS Avg_Session_Time
0 Karma
1 Solution

chinmoya
Communicator

| stats avg(duration) AS Avg_Session_Time by url

View solution in original post

0 Karma

chinmoya
Communicator

| stats avg(duration) AS Avg_Session_Time by url

0 Karma

niketn
Legend

@rosho unfortunately I dont think this information is enough for correlating the duration in a URL. What is the event data/field which will determine login and logoff or something similar that URL is in use?

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma

rosho
Communicator
index=bigip host="F5-BOU-4K-A.entourage.intra"
| transaction session_id
| stats avg(duration) AS Avg_Session_time by Client_IP

This will do it. But I do not know how to put the average bytes_in for each clientip

0 Karma

rosho
Communicator

Can you give me an example?

0 Karma

nabeel652
Builder

I think you need to add session_id in your query otherwise it will not differentiate between different sessions/users.

0 Karma
Get Updates on the Splunk Community!

Automatic Discovery Part 1: What is Automatic Discovery in Splunk Observability Cloud ...

If you’ve ever deployed a new database cluster, spun up a caching layer, or added a load balancer, you know it ...

Real-Time Fraud Detection: How Splunk Dashboards Protect Financial Institutions

Financial fraud isn't slowing down. If anything, it's getting more sophisticated. Account takeovers, credit ...

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...

 Are you tired of troubleshooting delays caused by siloed frontend, application, and network data? We've got a ...