Hi,
I'm looking to get a duration for a transaction that has multiple pairs of StartsWith and EndsWith conditions.
Log Pair 1:
start: id=1111 msg=trying to get info...
end: id=1111 msg=returing info...
Log Pair 2:
start: id=2222 msg=calling service to get info...
end: id=2222 msg=got info from service...
A given transaction can have either pair 1 or pair 2 logs but they do not co-exists.
I have tried using the following query to get the time duration between the above events but I wasn't successfull.
my search | eval transaction_start=if(in(msg, "trying to get info", "calling service to get info"), _time, NULL), transaction_end=if(in(msg, "returing info", "got info from service"), _time, NULL) | stats earliest(transaction_start) AS start_time latest(transaction_end) AS end_time BY id | eval duration=tostring((end_time-start_time), "duration")
How do I get the time duration for these logs where start and end pair may vary?
... View more