Splunk Search

Issue with the AVG however min and max work fine.

joe06031990
Communicator

Hello, 

I am using the stats command however the AVG shows as being blank yet min and max works fine:

 

Index=index_ test source= “Test” host= “Testhost” |stats AVG(timetaken) as AVG

 

any help would be greatly appreciated 😀.

thanks 

Labels (4)
Tags (4)
0 Karma

isoutamo
SplunkTrust
SplunkTrust

Hi

ensure that this field is numeric. You check if from left side panel, interesting fields and check if there is “#” or “a” before it. # means numeric and a means character. If it’s character then there could be a space before or after the number. This can solve e.g.

eval timetaken = tonumber(trim(timetaken))

r. Ismo

0 Karma

joe06031990
Communicator

Hi, the field is a character and has hours,minutes, seconds and milliseconds. I have tried your eval however still get the same results. 

0 Karma

isoutamo
SplunkTrust
SplunkTrust

As the avg works only for numbers you must first convert your time field to numeric. You should use strptime with correct format string to numeric then calculate avg for it and in the last step you could convert it back to the time string with strftime function with correct format string. More about those functions https://docs.splunk.com/Documentation/Splunk/8.0.5/SearchReference/DateandTimeFunctions

r. Ismo

0 Karma

joe06031990
Communicator

Still having a bit of trouble with this the format is 00:00:00:000000?

 

thanks 

0 Karma

isoutamo
SplunkTrust
SplunkTrust

Can you give some sample events?

0 Karma

joe06031990
Communicator

The field I need to find the adverge for is TimeTaken=00:00:00:0000000.

0 Karma

isoutamo
SplunkTrust
SplunkTrust

Updated my previous example with change . -> : Did it work now?

0 Karma

isoutamo
SplunkTrust
SplunkTrust

You could convert this to epoch with next example:

 

| makeresults
| eval foo = "00:00:00:0000000"
| eval bar = strptime (foo, "%H:%M:%S:%7Q")
| eval foobar = strftime (bar, "%H:%M:%S:%7Q")
| table foo bar foobar

 

0 Karma
Get Updates on the Splunk Community!

Index This | How many sides does a circle have?

February 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

Registration for Splunk University is Now Open!

Are you ready for an adventure in learning?   Brace yourselves because Splunk University is back, and it's ...

Splunkbase | Splunk Dashboard Examples App for SimpleXML End of Life

The Splunk Dashboard Examples App for SimpleXML will reach end of support on Dec 19, 2024, after which no new ...