Logs Format:
Event1
DT=2018-05-14T01:17:57.805-0700 |TrasID=Hostname1:processName1:201805140116510739:Uniqnumber1 |Type=Response Sent | Severity=INFO ||Main=XXXXXXXXXXXXXXX, Message Timestamp:2018-05-14 01:17:57.641|
Event2
DT=2018-05-14T01:17:57.649-0700 |TrasID=Hostname1:processName1:201805140116510739:Uniqnumber1 |Type=Request Received | Severity=INFO|Main=XXXXXXXXXXXXXXX, Message Timestamp:2018-05-14 01:17:57.641|
Query used:
Index=TEST Source=Log1 [ search Index=TEST Source=Log1 "Request received"|rex field=_raw "DT=(?<DT>.*?) \|"| eval TimeOnrequest=strptime(DT,"%Y-%m-%d %H:%M:%S.%3N")| fields TrasID ] "Response sent"|rex field=_raw "Message Timestamp:(?<Timestamp>.*?)$" | eval TimeOnresponse=strptime(Timestamp,"%Y-%m-%d %H:%M:%S.%3N")| eval RespseTime=TimeOnresponse-TimeOnrequest|timechart span=15m avg (RespseTime) by ErrorCode
... View more