time delay


Hi, Message 1 Message 1 Message 1 conf msg Message 2 req xyz Message 2 Message 2

i've sample log like this. here i need to find the delay(time difference) between Message 1 before "conf msg" and Message 2 immediate next to "req xyz" in a single event.

i used query like this and am not getting the expected result

transaction startswith=("Message 1") endswith=("Message 2")|search ("conf msg")|stats count perc95(duration) as VALUE

is there any logic to get the exact result?

0 Karma


It would help to see the rest of the event to know what fields are available to create a mvlist. What I have done, similar to what you are wanting to do, is broken out the entire event into 5 or 6 fields, then group them by the field that is common to that transaction... Such as ip_address. This is much easier when you setup a transactiontypes.conf for the transaction you are looking to create.

Example of transaction from transactiontypes.conf:

fields = ip_address
startswith ="Login"
endswith ="Submit"
mvlist = event_type, event_timestamp, ip_address, user_id

Hope this helps!

0 Karma