Hello,
i have a search like:
orders=* | transaction order_id
now i want to see the orders who took the longest time (stats max(duration) by order_id) and the one with the fastest (same with min(duration).
how to best display them in the same table. i want to have the fastest 10 and slowest 10. as transaction is an expensive search, i would prefer if i do not need to make a join and run the full search again and correlate them by _time for example. any ideas are welcome.
br
matthias
Hi Matthias_BY
something like this should get you started:
orders=* | transaction order_id maxspan=30s | eval longest = max(duration) | eval fastest = min(duration) | top longest fastest | table order_id longest fastest
You can speedup transaction
be adding maxspan
, take here the longest time range you would expect for your orders to take. The command top
limits by default to 10.
Hope this helps a bit.....
Cheers, MuS
Ok, just tried the eval and they work perfect as long as your field has numeric values.....
Can you provide some sample data, this was a simple guess and try
hi,
i tried it but it does not work. the eval statements are wrong and do not work...
br