I am using the stats command however the AVG shows as being blank yet min and max works fine:
Index=index_ test source= “Test” host= “Testhost” |stats AVG(timetaken) as AVG
any help would be greatly appreciated 😀.
ensure that this field is numeric. You check if from left side panel, interesting fields and check if there is “#” or “a” before it. # means numeric and a means character. If it’s character then there could be a space before or after the number. This can solve e.g.
eval timetaken = tonumber(trim(timetaken))
As the avg works only for numbers you must first convert your time field to numeric. You should use strptime with correct format string to numeric then calculate avg for it and in the last step you could convert it back to the time string with strftime function with correct format string. More about those functions https://docs.splunk.com/Documentation/Splunk/8.0.5/SearchReference/DateandTimeFunctions
You could convert this to epoch with next example:
| makeresults | eval foo = "00:00:00:0000000" | eval bar = strptime (foo, "%H:%M:%S:%7Q") | eval foobar = strftime (bar, "%H:%M:%S:%7Q") | table foo bar foobar