I want to get the duration between two different events.
In a simplified structure my events have a timestamp and a state (Online, Offline). Every minute a new event is added to the index that contains data like the following example
What I want to achieve is the duration from the first occurence of an event thats State is "Offline" until it changes to "Online" again.
I tried to achive that using transactions, but when I use them with "startswith=Offline" and "endswith=Online" option I get multiple results because after the first Offline state of each block another Offline state follows until it changes back to online. Referring to my example I get for the timespan between 03 and 06 three results from the transaction (03 to 06, 04 to 06, 05 to 06), but I'd like to have only one result for the transaction (03 - 06).
My current query looks similar to this one:
* | transaction startswith=(state="Offline") endswith=("state"=Online)
... View more