Say you have a stream of events, such as web page accesses. There is no field for amount of time on a certain page, so I am interested in getting the time between event A and the next newer event temporally, event B.
I need this difference to appear in a field associated with event A, so I can say a user spent X amount of time at webpage A. This will likely be used in a transaction to differentiate clickstreams by user.
Is there such a thing as "time until next event" ? Any advice would be helpful!
Figured it out:
| streamstats range(_time) as Duration window=2
Makes a handy Duration field, for each event giving the time between it and the event after it. Does what I need it to!
Assuming your list of events is in chronological order and belongs to a single user, you can try this:
*| delta _time as timeSpentOnPreviousPage | accum timeSpentOnPreviousPage as totalTime
From your 2nd event on you will get for each event a timeSpentOnPreviousPage and totalTime field containing running time difference between events, and running total time, respectively.
Figured it out:
| streamstats range(_time) as Duration window=2
Makes a handy Duration field, for each event giving the time between it and the event after it. Does what I need it to!
It goes in strictly event order, so if you have things like web_page and src_ip, you will need to sort by web_page (or provide some other arguments to streamstats) first, otherwise you will get absolute time between events, not between a particular user's events.
You should be able to use a transaction command that starts and stops with each event. From there, we automatically create a "duration" field that logs the amount of time between them. Alternatively, you could evaluate the difference in the _time field.
So, using the alternative method, how would you access a separate event's _time to eval it with the current one?
I tested and for events A, B, C, D, there are only two transactions, AB and CD. Thus, the time between B and C is inaccessible.
For events A, B, C, D, would this approach create transactions of A/B, C/D, or A/B, B/C, C/D? If the former, then the B event would get no duration, and disappear from the results.