I am using the below query to create a timechart.
sourcetype=xxx AND source = "xxxx" | rex "Operation:(?[A-Z]*)" | rex "\[Tx.*\]:\[(?.*)\]:" | transaction TransactionId | timechart avg(duration) by Operation
There are only two possible values for Operation: GetToken, SetToken
But in the result, I am seeing 3 columns ( 3 lines in the timechart)
GetToken
SetToken
VALUE (average of GetToken, SetToken for each row)
Why does this VALUE column comes in ? It didnt happen in other queries. What am I doing wrong ?
... View more