Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Average Time over two Timestamps

JoeSco27
Communicator
‎07-10-2013 07:18 AM

I am trying to get the average Session duration by USER_ID, but a single USER_ID can have multiple SESSION_ID. The SESSION_ID is the unique identifier. I currently have a table that looks like this:

USER_ID------SESSION_ID ----------------------- start --------------------------- stop

UserA ------{firstSessionID} ---------- 20130710 08:15:53 -------- 20130710 08:16:15

UserB-----{secondSessionID} ----- 20130710 08:16:42 -------- 20130710 08:16:55

UserA------{ThirdSessionID} ------- 20130709 13:34:23 -------- 20130709 13:35:34

I am trying to eventually have a list of all the USER_ID and the average Session duration by USER_ID. My search for the above result looks like this:

index=loghistory SESSION_ID=* USER_ID=* DEALER_ID=* USER_ID!="N/A" |stats earliest(EVENT_TIMESTAMP) as start, latest(EVENT_TIMESTAMP) as stop by USER_ID,SESSION_ID

Thank you in advance.

Tags (3)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

Damien_Dallimor
Ultra Champion
‎07-10-2013 07:56 AM

Try something like this.
Converting times to epoch times , then doing the math on the epoch value :

...| eval startSession=strptime(start,"%Y%m%d %H:%M:%S") | eval endSession=strptime(stop,"%Y%m%d %H:%M:%S") | eval sessionDuration=endSession-startSession | stats avg(sessionDuration) by USER_ID

View solution in original post

Reply
Solved! Jump to solution
Solution

Damien_Dallimor
Ultra Champion
‎07-10-2013 07:56 AM

Try something like this.
Converting times to epoch times , then doing the math on the epoch value :

...| eval startSession=strptime(start,"%Y%m%d %H:%M:%S") | eval endSession=strptime(stop,"%Y%m%d %H:%M:%S") | eval sessionDuration=endSession-startSession | stats avg(sessionDuration) by USER_ID
Reply
Solved! Jump to solution

Damien_Dallimor
Ultra Champion
‎07-10-2013 09:36 AM

Yes , seconds. You can use "strftime" to convert it back into another format.

Don't forget to accept the answer if it worked.

0 Karma
Reply
Solved! Jump to solution

JoeSco27
Communicator
‎07-10-2013 09:33 AM

This works, thank you. The time that returns is in seconds because it was converted to epoch, correct?

0 Karma
Reply
Solved! Jump to solution

bmacias84
Champion
‎07-10-2013 07:41 AM

use the Transaction command.

0 Karma
Reply
Get Updates on the Splunk Community!

Prove Your Splunk Prowess at .conf25—No Prereqs Required!

Your Next Big Security Credential: No Prerequisites Needed We know you’ve got the skills, and now, earning the ...

Splunk Observability Cloud's AI Assistant in Action Series: Observability as Code

This is the sixth post in the Splunk Observability Cloud’s AI Assistant in Action series that digs into how to ...

Splunk Answers Content Calendar, July Edition I

Hello Community! Welcome to another month of Community Content Calendar series! For the month of July, we will ...