I am trying to group the events using transaction command but looks like some of the data is not visible in the statistics.
(index=test1 logpoint="request-in") OR (index=test1 logpoint="response-in") | transaction transaction-id startswith="request-in" endswith="response-in" maxevents=2 keeporphans=true | eval epoch_time=strptime('timestamp-in',"%Y-%m-%dT%H:%M:%S.%N") | eventstats range(epoch_time) as response_time by transaction-id | timechart span=1d avg(response_time) as average_duration
Any help would be highly appreciated.
Have you made sure you have relevant data events available on the dates of 18, 19, 20 ?
Is this the same behavior if you run your search over a different set of 7 days ?
I think I found the solution, instead of eventstats I used stats and it worked 🙂
Another small question: I cannot mark this question as closed.. could you please guide me on this.
Using transactions is resource intensive you can replace it with this which runs only on
stats as it will run way faster:
index=test1 logpoint="request-in" OR logpoint="response-in" | stats first(_time) as start last(_time) as end first(timestamp-in) as timestamp-in by transaction-id | eval _time=strptime('timestamp-in',"%Y-%m-%dT%H:%M:%S.%N") | eval duration=tostring(end-start,"duration") | timechart span=1d avg(duration) as average_duration