Good morning all,
I'm leveraging the transaction command in order to gather statistics around the duration of my requests in order to report on them. By default the transaction command leverages the _time field (timestamp) to calculate the duration for the transaction. However, the issue I'm facing is the timestamp appear to have intermittent jumps in it that's skewing my numbers. I'd assume it's just forwarded config perhaps.
I do have a second, more accurate, timestamps available to me that I'd like to leverage "ServerTime" which has been added to our events. I'm just trying to understand if I can override the transaction command to use the ServerTime field I have rather than the timestamp?
See attached screenshots demonstrating the issue. Thx in advance everyone 🙂
You can rewrite "_time" to be a valid timestamp from your event data, and then the transaction command will use that value instead.
For example, if you have a field called ServerTime in the format "12/02/2020 09:32:24 AM":
index=main source=http:xxxx ServiceName=xxxx OR ServiceName=xxxx CorrelationID=xxxx |rex xxxxxxxx|eval _time=strptime(ServerTime,"%m/%d/%Y %I:%M:%S %p") |transaction RawCorrelationID |stats count by duration
You can rewrite "_time" to be a valid timestamp from your event data, and then the transaction command will use that value instead.
For example, if you have a field called ServerTime in the format "12/02/2020 09:32:24 AM":
index=main source=http:xxxx ServiceName=xxxx OR ServiceName=xxxx CorrelationID=xxxx |rex xxxxxxxx|eval _time=strptime(ServerTime,"%m/%d/%Y %I:%M:%S %p") |transaction RawCorrelationID |stats count by duration
Perfect, worked a charm! Thank you kindly