I have a search that returns the time of the first instance of a specific event (field "firstaction") by date (field "ldate").
search yadda yadda yadda | stats earliest(time) as firstaction by ldate
results:
ldate firstaction
2019-12-30 09:00:00.000
2019-12-31 07:00:00.000
What I want is the average time (value) of all the results.... or in this case 08:00:00.000
"|stats avg(firstaction) " doesn't return anything.
Also, only days that have a value should be averaged.
I thought about breaking out the value of the hours, minutes and seconds and converting them to a sum of seconds... then averaging the sum of seconds by day and then converting them back to a time value... but that seems overly complex and I can't be the only person that needs to know the average time of the first occurrence of something by day and alert if it falls outside a standard deviation.
Any thoughts (besides purchasing behavioral analytics)?
... View more