You can do this using mvlist , mvexpand and streamstats . Here is the full search:
host=dtsever01 source=/tmp/messages.log sourcetype=messages tx_id=* | eval phaseTime=mvzip(tx_state,_time) | transaction tx_id startswith="FPA" endswith="FUS" mvlist=phaseTime | search credit_bureau | mvexpand phaseTime | rex field=phaseTime "(?<tx_phase>.*),(?<tx_phase_time>.*)" | streamstats current=f window=1 last(tx_phase_time) as prevTime by tx_id | eval elapsedTime=if(isnull(prevTime),null(),tx_phase_time - prevTime) | chart avg(elapsedTime) avg(duration) by tx_id tx_phase
And here is the search broken down by each step explaining what's happening. First create a field that contains the phase of the transaction and the time so that we can work with this later:
host=dtsever01 source=/tmp/messages.log sourcetype=messages tx_id=* | eval phaseTime=mvzip(tx_state,_time)
Next, create your transaction, being sure to set the mvlist option for the field we just created. This will keep phaseTime in the correct order:
... | transaction tx_id startswith="FPA" endswith="FUS" mvlist=phaseTime | search credit_bureau ...
Now expand your transaction based on the phaseTime . This creates a new event for every distinct value of phaseTime:
... | mvexpand phaseTime ...
Next extract phaseTime into phase and time for each of the new events:
... | rex field=phaseTime "(?<tx_phase>.*),(?<tx_phase_time>.*)"
Now use streamstats to pull in the previous event's time by transaction id:
... | streamstats current=f window=1 last(tx_phase_time) as prevTime by tx_id
Lastly, use eval to figure the time elapsed during each step of the transaction:
... | eval elapsedTime=if(isnull(prevTime),null(),tx_phase_time - prevTime)
and compute your statistics:
... | chart avg(elapsedTime) avg(duration) by tx_id tx_phase
... View more