Splunk Search
Highlighted

how to find the average response time per minute for a selected timerange?

Builder

Hello,

I am doing a search for selected timerange 27th to 28th
index=abc... | bucket time span=1d|eval Time=strftime(time, "%m-%d-%Y ")| chart count over id by Time usenull=f useother=f

OUTPUT:

id 01-27-2018 01-28-2018

aaa 500 600

bbb 400 300

I want the average of each id per minute for example avg_permin=500/1440=0.34. As there are 1440 minutes per day.

I am trying to use rename for the date but I dont think that will work.

Thanks

0 Karma
Highlighted

Re: how to find the average response time per minute for a selected timerange?

SplunkTrust
SplunkTrust

You can use foreach command like this

index=abc... | bucket _time span=1d|eval Time=strftime(_time, "%m-%d-%Y ")| chart count over id by Time usenull=f useother=f
| foreach * [ eval "<<FIELD>>"=if("<<FIELD>>"!=id, round('<<FIELD>>'/1440,2), '<<FIELD>>')]
0 Karma
Highlighted

Re: how to find the average response time per minute for a selected timerange?

Builder

I am sorry but what will go in place of FIELD in my case and what is "<>"!=id ?

0 Karma
Highlighted

Re: how to find the average response time per minute for a selected timerange?

Nothing would go in place of FIELD or <<FIELD>>. You should use the code literally as it's written. You'll take the current search you have and then paste at the end of it:
| foreach * [ eval "<<FIELD>>"=if("<<FIELD>>"!=id, round('<<FIELD>>'/1440,2), '<<FIELD>>')]

The portion of the code that says "<<FIELD>>"!=id is checking which field the code is currently using. As you'd like calculations performed on all fields except the one named id, the code has to check to see if it's currently evaluating the id field, and if it is then it should not try to divide the id by 1440.

0 Karma
Highlighted

Re: how to find the average response time per minute for a selected timerange?

Builder

Thank you but I tried pasting the same thing and ran the search,I dont see any change in the results it is the same as before.Where will the values for the eval expression move to ?

0 Karma
Highlighted

Re: how to find the average response time per minute for a selected timerange?

SplunkTrust
SplunkTrust

It'll overwrite the fields that have been created for Time field values. The eval should divide all values by 1440 and round it to 2 decimal places. Could you paste the exact search you used? You can mask any sensitive data in the query.

0 Karma
Highlighted

Re: how to find the average response time per minute for a selected timerange?

Builder

This is exactly the same search

index=abc type=" request" id=va* | bucket time span=1d|eval Time=strftime(time, "%m-%d-%Y ")| chart count over id by Time | foreach * [ eval "<>"=if("<>"!=id, round('<>'/1440,2), '<>')]

0 Karma
Highlighted

Re: how to find the average response time per minute for a selected timerange?

SplunkTrust
SplunkTrust

Try this:

index=<your_index> 
| bucket _time span=1d 
| eval Time=strftime(_time, "%m-%d-%Y ") 
| chart count over id by Time usenull=f useother=f 
| foreach * 
    [ eval "<<FIELD>>"=if(NOT "<<FIELD>>"="id",round('<<FIELD>>'/1440,2), '<<FIELD>>')]

let me know if this helps!

0 Karma
Highlighted

Re: how to find the average response time per minute for a selected timerange?

Builder

I tried this but the result shows no values for the field id

0 Karma