I'm calculating the time difference between two events by using Transaction
and Duration
. Below is the query that I used to get the duration between two events Model
and Response
host=* sourcetype=** source="*/example.log" "Model*" OR "Response*"
| transaction traceId startswith="Model" endswith="Response" | eval dur=duration
| eval time_taken=tostring(dur,"duration") | table traceId time_taken _time
And the result would be similar to
traceId | time_take | _time
trace_1681692777 | 00:00:0.451 | 2019-07-03 15:52:02.537
trace_1681692779 | 00:00:1.921 | 2019-07-03 15:55:00.129
trace_1681692780 | 00:00:3.981 | 2019-07-03 15:59:01.754
Using the above data, I want to get the max, min and avg time_taken
values. I tried using stats min(dur) as min, etc and eval but was not successful. How do I achieve this?
Like this:
index=YouShouldAlwaysSpecifyAnIndex AND sourcetype=AndSourcetypeToo AND host=* AND source="*/example.log" AND ("Model*" OR "Response*")
| transaction traceId startswith="Model" endswith="Response"
| eventstats min(duration) As min_dur max(duration) AS max_dur avg(duration) AS avg_dur
| rename duration AS time_taken
| fieldformat time_taken = tostring(duration,"duration")
| table traceId time_taken _time *_dur
Like this:
index=YouShouldAlwaysSpecifyAnIndex AND sourcetype=AndSourcetypeToo AND host=* AND source="*/example.log" AND ("Model*" OR "Response*")
| transaction traceId startswith="Model" endswith="Response"
| eventstats min(duration) As min_dur max(duration) AS max_dur avg(duration) AS avg_dur
| rename duration AS time_taken
| fieldformat time_taken = tostring(duration,"duration")
| table traceId time_taken _time *_dur
Works like a charm. Thank you