Every line of the log file has a transaction id, a time stamp, and a message. It is intended to show a trace of all transactions. I'd like to modify the query below to show the differences between timestamps at all points and possibly highlight the largest differences per transaction.
The query I currently have is
| sort time ASC | stats list(time) , list(message) by id | sort id
Try this
your base search | sort 0 time | streamstats current=f window=1 last(time) as prevTime by id | eval duration=time-prevTime | eventstats max(duration) as MaxDur by id | eval duration=if(duration=MaxDur,"**".tostring(duration),duration) | stats list(time) , list(duration) , list(message) by id
Start with you base search and try adding pieces one by one and see which part of the search is breaking things/not working as expected. This works fine with similar data I have.
Any ideas why this query isn't working?
Data is being returned but it is just some of the lines of the log files
Can you validate if data is being returned before the stats command?
The variable names look right but now it isn't showing anything for duration.
Just fixed one type in the eval. Try the updated search. Also, check the variable names (time/id/message).
When I run that query, I'm returned all 0s for duration