This may not be exactly what you're looking for, but if you just want to have an overview;
... | bucket _time span=15m | dedup tr _time | timechart c span=15m by tr |
Assumption is that the tr transaction identifier can be used as such, without any startswith/endswith constraints. So now you'll have a '1' or '0' for each 15-minute block per transaction. So this will NOT measure the real duration of a transaction, it will just show whether parts of a transaction happened during a 15 min block. This can be visualised like below (although it seems a little buggy on my end). No drilldown and mouse-over on the legend is not reliable.
Click on the little charting icon and then 'formatting options'
ensure it's a column chart,
multi-series mode = split,
missing values = omit
Goto Y-axis, and set the min value to 0.99 max value to 1.01
This will be a rather ugly hack showing the presence of a transaction as (set of) block(s). There will be a small whitespace between connected columns, e.g. --- -- - would indicate three transactions, the first is 45 minutes long, then a 15 min break, then a 30-min transaction, then a 30 min break, and finally a 15 min transaction.
There is probably a simpler way of doing this.
/k
... View more
