I'm trying to limit the scope of a search to a 24 hour window and list all of the files analyzed within that period but then display a table of how long it took to finish processing each file.
For example, I have:
2015-07-31 15:56:13.7599|DEBUG|FileAnalyzer|Finished file.zip
2015-07-31 15:56:13.0099|DEBUG|FileAnalyzer|Starting file.zip
I can get something as simple as:
host=server earliest=7/31/2015:00:00:00 latest=7/31/2015:23:59:59 ("Starting" OR "Finished") | rex "(?<inputfile>\w*.zip)" | stats count by inputfile
But that's a simple count. I'm looking for a table that will resemble something like:
INPUTFILE | DURATION
file.zip | 3.067
I've tried a combination of map, transaction, and table with and without subsearches without being successful. Any help would be most appreciated.
... View more