Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to edit my search to figure out average time tracking?

rickyrivera1
New Member
‎05-24-2017 12:35 PM

Alright...new to Splunk and actually been figuring it out as I go along. The only problem I am having is I am trying to capture 2 time fields. I'm trying to capture Time_To_Own_Minutes and Time_To_Close_Minutes both are avg. The search I have pasted below shows an additional field of overall time that I don't need. Thoughts on how to capture time in minutes?

index="alerts" USER_LOGIN=*  DUPLICATE_COUNT=0 
| rename RECEIVED_TIME as RT, ANNOTATION_TIME as AT, ALERT_OWNERSHIP_TIME as AOT 
| eval CT=coalesce(CLOSED_TIME, closed_time)
| eval Annotes=substr(ANNOTATION,1,3) 
| eval ctime=strptime(CT, "%m/%d/%y %H:%M:%S") 
| eval rtime=strptime(RT, "%m/%d/%y %H:%M:%S") 
| eval atime=strptime(AT, "%m/%d/%y %H:%M:%S") 
| eval aotime=strptime(AOT, "%m/%d/%y %H:%M:%S") 
| eval TimeToClose=ctime-rtime 
| eval TimeToClose=abs(TimeToClose) 
| eval TimeToOwn=aotime-rtime 
| eval TimeToOwn=abs(TimeToOwn) 
| eval RT_Time=strftime(rtime, "%m/%d/%Y %I:%M:%S %p") 
| eval CT_Time=strftime(ctime, "%m/%d/%Y %I:%M:%S %p") 
| eval AT_Time=strftime(atime, "%m/%d/%Y %I:%M:%S %p") 
| eval AOT_Time=strftime(aotime, "%m/%d/%Y %I:%M:%S %p") 
| eval Time_To_Close_Minutes=round(TimeToClose/60,2) 
| eval Time_To_Own_Minutes=round(TimeToOwn/60,2) 
| stats count as "Overall Time" avg(Time_To_Own_Minutes) as "Overall: Avg Time to Close in Minutes" avg(Time_To_Close_Minutes)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

cmerriman
Super Champion
‎05-24-2017 01:00 PM

if i understand what you're trying to achieve, does this work:

index="alerts" USER_LOGIN=*  DUPLICATE_COUNT=0 
 | rename RECEIVED_TIME as RT, ANNOTATION_TIME as AT, ALERT_OWNERSHIP_TIME as AOT 
 | eval CT=coalesce(CLOSED_TIME, closed_time)
 | eval Annotes=substr(ANNOTATION,1,3) 
 | eval ctime=strptime(CT, "%m/%d/%y %H:%M:%S") 
 | eval rtime=strptime(RT, "%m/%d/%y %H:%M:%S") 
 | eval atime=strptime(AT, "%m/%d/%y %H:%M:%S") 
 | eval aotime=strptime(AOT, "%m/%d/%y %H:%M:%S") 
 | eval Time_To_Close_Minutes=round(abs(ctime-rtime)/60,2) 
 | eval Time_To_Own_Minutes=round(abs(aotime-rtime)/60,2)  
 | stats avg(Time_To_Own_Minutes) as "Overall: Avg Time to Own in Minutes" avg(Time_To_Close_Minutes) as "Overall: Avg Time to Close in Minutes"

View solution in original post

0 Karma
Reply
Solved! Jump to solution

rickyrivera1
New Member
‎05-25-2017 05:37 AM

This is exactly what I was looking for! Sadly for me the change was way too easy, but thank you for your help on this one!!!

0 Karma
Reply
Solved! Jump to solution

cmerriman
Super Champion
‎05-25-2017 05:40 AM

That's alright, you're new and sometimes it's the easiest thing that's the hardest to see!

0 Karma
Reply
Solved! Jump to solution
Solution

cmerriman
Super Champion
‎05-24-2017 01:00 PM

if i understand what you're trying to achieve, does this work:

index="alerts" USER_LOGIN=*  DUPLICATE_COUNT=0 
 | rename RECEIVED_TIME as RT, ANNOTATION_TIME as AT, ALERT_OWNERSHIP_TIME as AOT 
 | eval CT=coalesce(CLOSED_TIME, closed_time)
 | eval Annotes=substr(ANNOTATION,1,3) 
 | eval ctime=strptime(CT, "%m/%d/%y %H:%M:%S") 
 | eval rtime=strptime(RT, "%m/%d/%y %H:%M:%S") 
 | eval atime=strptime(AT, "%m/%d/%y %H:%M:%S") 
 | eval aotime=strptime(AOT, "%m/%d/%y %H:%M:%S") 
 | eval Time_To_Close_Minutes=round(abs(ctime-rtime)/60,2) 
 | eval Time_To_Own_Minutes=round(abs(aotime-rtime)/60,2)  
 | stats avg(Time_To_Own_Minutes) as "Overall: Avg Time to Own in Minutes" avg(Time_To_Close_Minutes) as "Overall: Avg Time to Close in Minutes"
0 Karma
Reply
Get Updates on the Splunk Community!

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...

 Are you tired of troubleshooting delays caused by siloed frontend, application, and network data? We've got a ...

Splunk Observability for AI

Don’t miss out on an exciting Tech Talk on Splunk Observability for AI!Discover how Splunk’s agentic AI ...

🔐 Trust at Every Hop: How mTLS in Splunk Enterprise 10.0 Makes Security Simpler

From Idea to Implementation: Why Splunk Built mTLS into Splunk Enterprise 10.0  mTLS wasn’t just a checkbox ...