Start/End time Displaying Same time

_gkollias · ‎02-27-2014

I have a search where I'd like to show the duration of the order.

My search below almost gives me that, but the start_time and end_time are showing as the same, giving duration a value of 0.000

Here is my search:

index=cg sourcetype=esb_audit esb_top_level=1 NOT bp_bp_name="*Task" svc_context_name="$svc_context_name$" | stats min(_time) as start_time, max(_time) as end_time, earliest(status) as start_status, latest(status) as exit_status, first(other) as exit_message, last(total) as total by svc_context_name, _time |eval duration = (end_time-start_time) |convert ctime(start_time) |convert ctime(end_time) |search exit_status="SUCCESS" |table svc_context_name, start_time, end_time, start_status, exit_status, exit_message, duration

I've also tried doing ...|stats earliest(time) as start_time, latest(time) as end_time, etc...| But I get the same results.

Is there a way to modify this search to get more accurate start/end time values?

Thanks!

wpreston · ‎02-27-2014

See my updated answer on your other question here. Does this help?

Start/End time Displaying Same time

Stay Connected: Your Guide to January Tech Talks, Office Hours, and Webinars!

[Puzzles] Solve, Learn, Repeat: Reprocessing XML into Fixed-Length Events

Data Management Digest – December 2025

Join the Conversation

Start/End time Displaying Same time

Stay Connected: Your Guide to January Tech Talks, Office Hours, and Webinars!

[Puzzles] Solve, Learn, Repeat: Reprocessing XML into Fixed-Length Events

Data Management Digest – December 2025