Splunk Search

How to calculate the average time of day a job will finish with end_time field?

allan_newton
Path Finder

I have a table which has start_time & end_time of some jobs. Now i want to calculate the average at what point of time in a day the job ends.

start_time end_time
13/03/2014 11:12:29 am 13/03/2014 11:25:23 am
13/03/2014 12:02:05 pm 13/03/2014 12:15:29 pm
13/03/2014 12:29:00 pm 13/03/2014 12:58:20 pm
13/03/2014 01:00:30 pm 13/03/2014 01:12:59 pm

My average of end_time should tell me something like daily at "12:10:23 pm" the job will be finished.

Tags (3)
1 Solution

martin_mueller
SplunkTrust
SplunkTrust

You could append this:

... | eval epoch_end = strptime(end_time, "%d/%m/%Y %H:%M:%S") | stats avg(epoch_end) as avg_epoch_end | eval avg_end = strftime(avg_epoch_end, "%d/%m/%Y %H:%M:%S")

View solution in original post

HiroshiSatoh
Champion

Try this!

(your search)|eval endtime_epoc=strptime(end_time,"%d/%m/%Y %I:%M:%S %P")|eval date=strftime(endtime_epoc,"%d/%m/%Y")|stats avg(endtime_epoc) as avg_endtime by date|eval avg_endtime=strftime(avg_endtime,"%I:%M:%S %P")|table date,avg_endtime

datasearchninja
Communicator

Send your table output to this:

| eval endtime_epoc=strptime(end_time, "%d/%m/%Y %I:%M:%S %p") | eval day_seconds=endtime_epoc%86400 | stats list(start_time) list(end_time) avg(day_seconds) as avg_day_seconds | eval avg_endtime=strftime(avg_day_seconds, "%I:%M:%S %p")

martin_mueller
SplunkTrust
SplunkTrust

You could append this:

... | eval epoch_end = strptime(end_time, "%d/%m/%Y %H:%M:%S") | stats avg(epoch_end) as avg_epoch_end | eval avg_end = strftime(avg_epoch_end, "%d/%m/%Y %H:%M:%S")
Get Updates on the Splunk Community!

Deprecation of Splunk Observability Kubernetes “Classic Navigator” UI starting ...

Access to Splunk Observability Kubernetes “Classic Navigator” UI will no longer be available starting January ...

Now Available: Cisco Talos Threat Intelligence Integrations for Splunk Security Cloud ...

At .conf24, we shared that we were in the process of integrating Cisco Talos threat intelligence into Splunk ...

Preparing your Splunk Environment for OpenSSL3

The Splunk platform will transition to OpenSSL version 3 in a future release. Actions are required to prepare ...