**Background**
So I have two date fields - Date_Created & Acknowledge_Date both in the format "YYYY-MM-DD HH:MM:SS". I wish to work out the difference of these two times and then create an average of all the results - essentially this -> Average(Acknowledge_Date-Date_Created)
**Query**
I have created the following query - this has converted the times to epoch - subtracted them and provided an average of the epoch time.
index="Cyber" sourcetype=Response queue = "Incident" status ="resolved" | dedup ticket
| table Date_Created, Acknowledge_Date
| eval epoch1=strptime(Date_Created,"%Y-%m-%d %H:%M:%S")
| convert timeformat="%Y-%m-%d %H:%M:%S" mktime(Date_Created) as epochDateCreated
| eval epoch2=strptime(Acknowledge_Date,"%Y-%m-%d %H:%M:%S")
| convert timeformat="%Y-%m-%d %H:%M:%S" mktime(Acknowledge_Date) as epochAck
| eval Diff=(epochAck-epochDateCreated)
|stats avg(Diff)
**Problem**
I now have an average number in epoch format - 5848.333333 - is there a way to convert this into HH:MM:SS
Any help will be much appreciated
↧