I want to get the duration between two different events.
In a simplified structure my events have a timestamp and a state (Online, Offline). Every minute a new event is added to the index that contains data like the following example
Time State
01 Online
02 Online
03 Offline
04 Offline
05 Offline
06 Online
07 Online
08 Offline
09 Offline
10 Online
11 Online
What I want to achieve is the duration from the first occurence of an event thats State is "Offline" until it changes to "Online" again.
I tried to achive that using transactions, but when I use them with "startswith=Offline" and "endswith=Online" option I get multiple results because after the first Offline state of each block another Offline state follows until it changes back to online. Referring to my example I get for the timespan between 03 and 06 three results from the transaction (03 to 06, 04 to 06, 05 to 06), but I'd like to have only one result for the transaction (03 - 06).
My current query looks similar to this one:
* | transaction startswith=(state="Offline") endswith=("state"=Online)
... View more