Hi @yuanliu , really appreciate your help and patience here. My requirements had changed and this is my current search query
index=abc sourcetype = example_sourcetype
| transaction startswit...
See more...
Hi @yuanliu , really appreciate your help and patience here. My requirements had changed and this is my current search query
index=abc sourcetype = example_sourcetype
| transaction startswith="Saved messages to DB" endswith="Done bulk saving messages" keepevicted=t
| eval no_msg_wait_time = mvcount(noMessageHandleCounter) * 1000
| fillnull no_msg_wait_time
| rename duration as processing_time
| eval _raw = mvindex(split(_raw, "
"), -1)
| rex "Done Bulk saving .+ used (?<db_bulk_write_time>\w+)"
| eval processing_time = processing_time * 1000
| eval mq_read_time = processing_time - db_bulk_write_time - no_msg_wait_time
| where db_bulk_write_time > 0
| rename processing_time as "processing_time(ms)", db_bulk_write_time as "db_bulk_write_time(ms)", no_msg_wait_time as "no_msg_wait_time(ms)", mq_read_time as "mq_read_time(ms)"
| table _time, processing_time(ms), db_bulk_write_time(ms), no_msg_wait_time(ms), mq_read_time(ms), Count, _raw
So now for processing_time(ms) column the calculation instead is starting from the 2 previous occurences of All Read threads finished flush the messages to Done bulk saving messages So in the example below: 2024-08-12 10:02:20,542 will have a processing_time from 10:02:19,417 to 10:02:20,542. 2024-08-12 10:02:19,417 [39] INFO DistributorCommon.WMQClient [(null)] - All Read threads finished flush the messages, total messages: 0 2024-08-12 10:02:20,526 [39] INFO DistributorCommon.WMQClient [(null)] - All Read threads finished flush the messages, total messages: 1 Count=1 2024-08-12 10:02:20,542 [39] INFO DistributorCommon.DBHandlerBase [(null)] - Done Bulk saving messages, Count=1, used 6 ms How can I also create a time series graph on same graph where x axis is time and then y axis is a bar chart of count column + line chart of new processing_time(ms)