How can I find the avg duration trend (timechart) of top 5 (most used) api above 5 seconds. If api has the same total calls, pick the highest duration.
This is what I have so far.
<Search string>
| bin _time span=1m
| eventstats count as total by api
| stats avg(kpi_value) as duration by _time api total
| where duration >5
| timechart eval(round(avg(duration),2)) as avg_duration by api where total in top5 limit=0
Give this a try
<Search string>
| bin _time span=1m
| stats avg(kpi_value) as duration by _time api
| where duration >5
| timechart eval(round(avg(duration),2)) as avg_duration by api limit=5 useother=f
Give this a try
<Search string>
| bin _time span=1m
| stats avg(kpi_value) as duration by _time api
| where duration >5
| timechart eval(round(avg(duration),2)) as avg_duration by api limit=5 useother=f
I had this originally, but I might have been overthinking this problem. Thanks!