Splunk Search

How to write a search to calculate the average length of sessions by time?

dgravesa1
New Member

Hi New to Splunk:

Trying to calculate average session lengths ( in time ) for sessions that have failed. And one for sessions that are successful. Below is what i have put together:

index=CCTV streaming_realm=* SessionFailed | bucket span=1m _time | dedup device_id, requested_deliverable | search SessionID="*" | stats range(_time) AS Session_Duration_sec by SessionID | stats avg(Session_Duration_Sec)
Tags (3)
0 Karma

somesoni2
Revered Legend

Try this

index=CCTV streaming_realm=* SessionFailed | stats range(_time) as duration by SessionID | stats avg(duration) as Avg_Session_Duration_Sec

OR

index=CCTV streaming_realm=* SessionFailed | transaction SessionID | stats avg(duration) as Avg_Session_Duration_Sec
0 Karma
Get Updates on the Splunk Community!

See just what you’ve been missing | Observability tracks at Splunk University

Looking to sharpen your observability skills so you can better understand how to collect and analyze data from ...

Weezer at .conf25? Say it ain’t so!

Hello Splunkers, The countdown to .conf25 is on-and we've just turned up the volume! We're thrilled to ...

How SC4S Makes Suricata Logs Ingestion Simple

Network security monitoring has become increasingly critical for organizations of all sizes. Splunk has ...