Splunk Search

How to calculate the average time in a URL?

rosho
Communicator

Hi
I want to calculate the average time of being in a URL.
This SPL shows me the time spent in a URL, but NOT the average

index=fortigate 
| transaction url
| table duration, url

This other SPL gives me the Total average. It is NOT by url

index=fortigate 
| transaction url
| stats avg(duration) AS Avg_Session_Time
0 Karma
1 Solution

chinmoya
Communicator

| stats avg(duration) AS Avg_Session_Time by url

View solution in original post

0 Karma

chinmoya
Communicator

| stats avg(duration) AS Avg_Session_Time by url

0 Karma

niketn
Legend

@rosho unfortunately I dont think this information is enough for correlating the duration in a URL. What is the event data/field which will determine login and logoff or something similar that URL is in use?

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma

rosho
Communicator
index=bigip host="F5-BOU-4K-A.entourage.intra"
| transaction session_id
| stats avg(duration) AS Avg_Session_time by Client_IP

This will do it. But I do not know how to put the average bytes_in for each clientip

0 Karma

rosho
Communicator

Can you give me an example?

0 Karma

nabeel652
Builder

I think you need to add session_id in your query otherwise it will not differentiate between different sessions/users.

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...