I am using a transaction to combine events and I want to calculate the difference in time between the two events. I am getting a "Typechecking failed. '-' only takes numbers" error when trying to do subtraction on the _time field. Is there a way to do this?
Here is my search:
"Starting task" OR "Terminating task"
| eval myTime = _time
| transaction pid
| eval duration = mvindex(myTime, 1)-mvindex(myTime, 0), startTime = strftime(mvindex(myTime, 0), "%m/%d/%Y %H:%M:%S"), endTime = strftime(mvindex(myTime, 1), "%m/%d/%Y %H:%M:%S")
| table pid startTime endTime duration
***Edit*
Responding to grittonc's question:
Yes - I am certain myTime is multi-valued. I can properly see the startTime and endTime values populating correctly in my table. Also - here is a snippet of the combined event:
... View more