6/29/22 4:58:14.526 PM | 2022-06-29 17:58:14.526 [Task1] INFO Task1 - Published Task1 received id 101 |
6/29/22 4:59:14.526 PM | 2022-06-29 17:58:14.526 [Task1] INFO Task1 - Published Task1 done id 101 |
I'm trying to fetch time for both the events (when it is received and when the task is done) and calculate the difference between them in form of table
I tried
index=source "Published Task 1"
| rex "id" (?<ID>\d+)
| table ID start_time End_time difference _time
What's lacking in that query are the fields other than "ID". You can, however, use stats and eval to get them.
index=source "Published Task 1"
| rex "id" (?<ID>\d+)
| stats min(_time) as start_time, max(_time) as End_time by ID
| eval difference_time = End_time - start_time
| table ID start_time End_time difference_time
What's lacking in that query are the fields other than "ID". You can, however, use stats and eval to get them.
index=source "Published Task 1"
| rex "id" (?<ID>\d+)
| stats min(_time) as start_time, max(_time) as End_time by ID
| eval difference_time = End_time - start_time
| table ID start_time End_time difference_time
It was really helpful
Thank you so much
I'm getting time in Unix format
1656483082.160
Any easy way to convert it