Splunk Search
Highlighted

How to edit my search to figure out average time tracking?

New Member

Alright...new to Splunk and actually been figuring it out as I go along. The only problem I am having is I am trying to capture 2 time fields. I'm trying to capture TimeToOwnMinutes and TimeToCloseMinutes both are avg. The search I have pasted below shows an additional field of overall time that I don't need. Thoughts on how to capture time in minutes?

index="alerts" USER_LOGIN=*  DUPLICATE_COUNT=0 
| rename RECEIVED_TIME as RT, ANNOTATION_TIME as AT, ALERT_OWNERSHIP_TIME as AOT 
| eval CT=coalesce(CLOSED_TIME, closed_time)
| eval Annotes=substr(ANNOTATION,1,3) 
| eval ctime=strptime(CT, "%m/%d/%y %H:%M:%S") 
| eval rtime=strptime(RT, "%m/%d/%y %H:%M:%S") 
| eval atime=strptime(AT, "%m/%d/%y %H:%M:%S") 
| eval aotime=strptime(AOT, "%m/%d/%y %H:%M:%S") 
| eval TimeToClose=ctime-rtime 
| eval TimeToClose=abs(TimeToClose) 
| eval TimeToOwn=aotime-rtime 
| eval TimeToOwn=abs(TimeToOwn) 
| eval RT_Time=strftime(rtime, "%m/%d/%Y %I:%M:%S %p") 
| eval CT_Time=strftime(ctime, "%m/%d/%Y %I:%M:%S %p") 
| eval AT_Time=strftime(atime, "%m/%d/%Y %I:%M:%S %p") 
| eval AOT_Time=strftime(aotime, "%m/%d/%Y %I:%M:%S %p") 
| eval Time_To_Close_Minutes=round(TimeToClose/60,2) 
| eval Time_To_Own_Minutes=round(TimeToOwn/60,2) 
| stats count as "Overall Time" avg(Time_To_Own_Minutes) as "Overall: Avg Time to Close in Minutes" avg(Time_To_Close_Minutes)
0 Karma
Highlighted

Re: How to edit my search to figure out average time tracking?

Super Champion

if i understand what you're trying to achieve, does this work:

index="alerts" USER_LOGIN=*  DUPLICATE_COUNT=0 
 | rename RECEIVED_TIME as RT, ANNOTATION_TIME as AT, ALERT_OWNERSHIP_TIME as AOT 
 | eval CT=coalesce(CLOSED_TIME, closed_time)
 | eval Annotes=substr(ANNOTATION,1,3) 
 | eval ctime=strptime(CT, "%m/%d/%y %H:%M:%S") 
 | eval rtime=strptime(RT, "%m/%d/%y %H:%M:%S") 
 | eval atime=strptime(AT, "%m/%d/%y %H:%M:%S") 
 | eval aotime=strptime(AOT, "%m/%d/%y %H:%M:%S") 
 | eval Time_To_Close_Minutes=round(abs(ctime-rtime)/60,2) 
 | eval Time_To_Own_Minutes=round(abs(aotime-rtime)/60,2)  
 | stats avg(Time_To_Own_Minutes) as "Overall: Avg Time to Own in Minutes" avg(Time_To_Close_Minutes) as "Overall: Avg Time to Close in Minutes"

View solution in original post

0 Karma
Highlighted

Re: How to edit my search to figure out average time tracking?

New Member

This is exactly what I was looking for! Sadly for me the change was way too easy, but thank you for your help on this one!!!

0 Karma
Highlighted

Re: How to edit my search to figure out average time tracking?

Super Champion

That's alright, you're new and sometimes it's the easiest thing that's the hardest to see!

0 Karma