Multiple average time calculations in a single sea...

angersleek · ‎05-22-2018

This is my log format.

{
    servicename: ServiceOne
    end.timestamp: 20000
    start.timestamp: 19920
}

{
    servicename: ServiceTwo
    end.timestamp: 30000
    start.timestamp: 29520
}

{
    servicename: ServiceOne
    end.timestamp: 59800
    start.timestamp: 59220
}

I am trying to calculate the average time taken for each service and display it in a trellis Layout on my Dashboard.

For example as follows:

ServiceOne(milliSecond) ServiceTwo(milliSecond) ServiceThree(milliSecond) 

200                     320                     455

I am able to capture the data, subtract the time to get the duration for each time the service is called and get its average to display it for one service. Is there a way I could do this for all my services (there are 8 of them) in a single search to display it in a single Trellis layout as shown in the above example? Thanks.

This is what I have done which works for a single service.

servicename=Service* | Convert num(end.timestamp) as end_time | Convert num(start.timestamp) as start_time | eval time_taken=(end_time - start_time) | eval AllServicesDurationField=toString(time_taken) | chart avg(AllServicesDurationField) as "All Services"

somesoni2 · ‎05-22-2018

Just add by servicename at the end of your chart command.

Multiple average time calculations in a single search for Trellis Display

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Observability Simplified: Combining User Experience, Application Performance & ...

Event Series May & June: From Network Visibility to Service Intelligence

Global Splunk User Group Events: May + June 2026

Join the Conversation