My original query only returned start and end events so the duration calculation worked. With the change to the base query, we'll have to change how we extract times. "My Base query" ("Starting ex...
See more...
My original query only returned start and end events so the duration calculation worked. With the change to the base query, we'll have to change how we extract times. "My Base query" ("Starting execution for request" OR "Successfully completed execution" OR "status" OR "Path")
| rex "status:\s+(?<Status>.*)\"}"
| rex field=_raw "\((?<Message_Id>[^\)]*)"
| rex "Path\:\s+(?<ResourcePath>.*)\""
| rex "timestamp\:\s+(?<timestamp>.*)\""
| eval startTime = if(searchmatch("Starting execution for request"), timestamp, startTime),
endTime = if(searchmatch("Successfully completed execution"), timestamp, endTime)
| stats max(startTime) as startTime, max(endTime) as endTime, values(*) as * by Message_Id | stats values(*) as * by Message_Id
| eval end_timestamp_s = endTime/1000, start_timestamp_s = startTime/1000 | eval duration = end_timestamp_s - start_timestamp_s
| eval human_readable_etime = strftime(end_timestamp_s, "%Y-%m-%d %H:%M:%S"), human_readable_stime = strftime(start_timestamp_s, "%Y-%m-%d %H:%M:%S"), duration = tostring(duration, "duration")
| table Message_Id human_readable_stime human_readable_etime duration Status ResourcePath