Hi! I'm trying to get the avg time of transactions where the duration is longer than normal. I can successfully do what I want in a appendcols clause, but it feels like hard work for something simple. The appendcols is added at the end to show you what I wanted to do.
index=ourindex APIRequestStart OR APIRequestStop
| transaction uuid startswith="* - APIRequestStart" endswith="* - APIRequestStop"
| timechart count(eval(duration>2)) AS "Number Slow Transactions", **avg(eval(duration>2)) AS "Avg Slow Transactions"**, count AS "Total Transactions", avg(duration) AS "Avg Transactions" span=1h
| appendcols [search index=index_cesoa* APIRequestStart OR APIRequestStop
| transaction uuid startswith="* - APIRequestStart" endswith="* - APIRequestStop"
| where duration > 2
| timechart avg(duration) AS "Working Avg Slow Transactions" span=1h]
can you do this instead:
index=ourindex APIRequestStart OR APIRequestStop
| transaction uuid startswith=" - APIRequestStart" endswith=" - APIRequestStop"
|eval durationGT2=if(duration>2,duration,null())
| timechart count(durationGT2) AS "Number Slow Transactions", avg(durationGT2) AS "Avg Slow Transactions", count AS "Total Transactions", avg(duration) AS "Avg Transactions" span=1h
just add an eval to grab the durations you're looking for
can you do this instead:
index=ourindex APIRequestStart OR APIRequestStop
| transaction uuid startswith=" - APIRequestStart" endswith=" - APIRequestStop"
|eval durationGT2=if(duration>2,duration,null())
| timechart count(durationGT2) AS "Number Slow Transactions", avg(durationGT2) AS "Avg Slow Transactions", count AS "Total Transactions", avg(duration) AS "Avg Transactions" span=1h
just add an eval to grab the durations you're looking for
Perfect! I knew it was dead easy. Thanks a lot!