We have periodic events of the same kind and I want to count the time (duration) and the number of other events (eventcount) between them. For example, consider streams of events coming from different
stream=1: Marker stream=2: Marker stream=1: Marker stream=3: Marker stream=3: Marker stream=2: Marker
I tried using a transaction with the same start- and stop- condition:
transaction stream startswith=Marker endswith=Marker
expecting it to do what I want -- but instead, every such "transaction" has a duration of 0 and event-count of 1. Instead of three transactions in the above example, I got six...
How can I create a stream of transactions, where the starting event of the next one is also the ending event of the previous?
| makeresults count=2 | streamstats count | eval _time=if((count == 2),relative_time('_time',"-1@d"),relative_time('_time',"@m")) | makecontinuous span=1m | eval stream=((random() % 3) + 1) `comment("this is sample data")` | streamstats count | xyseries count stream _time | sort count | eval count=1 | stats delim="," list(*) as stream* by count | eval count=max(mvcount(stream1),mvcount(stream2),mvcount(stream3)) | eval counter=mvrange(1,count) | mvexpand counter | foreach stream* [eval stream_<<MATCHSTR>> = mvindex(<<FIELD>>,counter - 1)] | autoregress stream_1 as stream_1_p | autoregress stream_2 as stream_2_p | autoregress stream_3 as stream_3_p | fields stream_* | foreach stream_* stream_*_p [eval duration_stream_<<MATCHSEG1>>= round(stream_<<MATCHSEG1>> - stream_<<MATCHSEG1>>_p)] | foreach stream_* [eval <<FIELD>>=strftime(<<FIELD>>,"%F %T")] | fields - stream_*_*
I tried various things on the premise of extracting the