Solved: Re: How to edit my search to find the sum and aver...

singhh4 · ‎05-20-2016

I have found a search that is able to get me the duration between 2 fields, but I need to add them and/or get their average of them.

index="purchase" |eval start=strptime(StartDate,"%Y-%m-%d %H:%M:%S") |eval end=strptime(EndDate,"%Y-%m-%d %H:%M:%S") |eval diff = tostring((end - start), "duration") |table diff

Output:

4+00:01:28.000000
3+12:55:13.000000
3+03:38:04.000000
6+14:49:01.000000
4+00:45:39.000000

Is it possible to add them or get their average? I am trying:

stats sum(diff) by Group
stats avg(diff) by Group

but it just gives me no results.

The output I am looking for is:

Group   |   Total Time Taken               Group   |   Average Time Taken
________________________                   __________________________
Group1  |   2+22:04:52.000000              Group1  |   22:04:52.000000
Group2  |   2+10:41:29.000000              Group2  |   10:41:29.000000
Group3  |   2+06:25:43.000000              Group3  |   06:25:43.000000

Thank you in advanced! 🙂

sundareshr · ‎05-20-2016

Do the sum/avg before you change the format to duration. So try this

... |eval diff = end-start | eval diff=tostring(diff, "duration") | table diff

OR

... |eval diff = end-start | stats sum(diff) as diff | eval diff=tostring(diff, "duration")

View solution in original post

sundareshr · ‎05-20-2016

Do the sum/avg before you change the format to duration. So try this

... |eval diff = end-start | eval diff=tostring(diff, "duration") | table diff

OR

... |eval diff = end-start | stats sum(diff) as diff | eval diff=tostring(diff, "duration")

How to edit my search to find the sum and average of durations?

Enterprise Security Content Update (ESCU) | New Releases

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

Index This | What are the 12 Days of Splunk-mas?