What is the format of the underlying field? There are at least five different ways, but the efficiency will be based on the field format.
Thanks for the response
Here's the base of the search with MTTR is the mean time to repair or average outage time averaged by duration. The "avg_outage" is epoch:
| transaction node startswith="upordown=down" endswith="upordown=available"
| stats avg(duration) as avgoutage by node
| eval MTTR=tostring(avgoutage, "duration")
| table node MTTR
maybe like this:
| transaction node startswith="up_or_down=down" endswith="up_or_down=available" | stats avg(duration) as avg_outage by node | eval rounded_avg_outage = round(avg_outage, 2) | eval MTTR = tostring(rounded_avg_outage, "duration) | table node MTTR
hope it helps