i have a search like:
orders=* | transaction order_id
now i want to see the orders who took the longest time (stats max(duration) by order_id) and the one with the fastest (same with min(duration).
how to best display them in the same table. i want to have the fastest 10 and slowest 10. as transaction is an expensive search, i would prefer if i do not need to make a join and run the full search again and correlate them by _time for example. any ideas are welcome.
something like this should get you started:
orders=* | transaction order_id maxspan=30s | eval longest = max(duration) | eval fastest = min(duration) | top longest fastest | table order_id longest fastest
You can speedup
transaction be adding
maxspan, take here the longest time range you would expect for your orders to take. The command
top limits by default to 10.
Hope this helps a bit.....