1

I am using Splunk to chart the average duration of a transaction, for each host, refer to the search query below

(host = "A" OR host = "B" OR host = "C" OR host = "D" OR host = "E" OR host = "F" OR host = "G" OR host = "H") 
AND source = "logs/BAU.log"

| transaction submission_id startswith="ABC Logic begins" endswith="ABC Logic ended"

| chart avg(duration) by host

I now have a chart with avg(duration) in seconds as the Y-axis, host as the X-axis.

my splunk chart

How do I change avg(duration) so that it's expressed in decimal minutes (something like 2.34 mins) instead of the current seconds.

Thanks

waffledood
  • 193
  • 8

1 Answers1

2

You can modify the avg(duration) to minutes in your Splunk query using eval.

Here's the code :

(host = "A" OR host = "B" OR host = "C" OR host = "D" OR host = "E" OR host = "F" OR host = "G" OR host = "H") AND source = "logs/BAU.log"
| transaction submission_id startswith="ABC Logic begins" endswith="ABC Logic ended"
| eval duration=duration/60 
| chart avg(duration) by host

Hope my answer will help.

Iliasse
  • 94
  • 6
  • as a follow-up question, do you happen to know how to adjust the decimal places of `duration`? i would like to limit it to 2 decimal places because one of the duration values is coming up as `2.1333333` – waffledood Jul 13 '23 at 09:28
  • 1
    you can use ````round```` function, here's an example instead of ````eval duration=duration/60```` do ````eval duration=round(duration/60, 2) ```` – Iliasse Jul 13 '23 at 09:48
  • hi @Iliasse, i have another question related to Splunk, if you can assist: https://stackoverflow.com/questions/76684706/splunk-group-x-axis-elements-together thanks in advance – waffledood Jul 14 '23 at 04:25
  • someone already answered the question ;) – Iliasse Jul 17 '23 at 09:31