Actually, you probably meant not to use _time in the "by" clause of the timechart command, since timechart is already by time.
If you do:
CALLNAME="method-1" OR CALLNAME="method-2" CALLSTATUS="CALL_ENDED"
| timechart span=5m count(CALLDURATION) as count, avg(CALLDURATION) as duration by CALLNAME
timechart will produce 4 columns, named "count: method-1", "duration: method-1", "count: method-2", and "duration: method-2". You can then perform the rest of the search using those fields, but to make things a bit simpler I'd first rename the fields:
CALLNAME="method-1" OR CALLNAME="method-2" CALLSTATUS="CALL_ENDED"
| timechart span=5m count(CALLDURATION) as count, avg(CALLDURATION) as duration by CALLNAME
| rename
"count: method-1" as count_1, "count: method-2" as count_2,
"duration: method-1" as duration_1, "duration: method-2" as duration_2
| eval duration_D=duration_2 - duration_1
| where ( count_1 >= 5 AND duration_1 > 4000 ) OR (count_2 >= 5 AND duration_2 > 10000 ) OR (count_1 >= 5 AND count_2 >= 5 AND duration_D > 7000)
Note that for cases where timechart isn't appropriate, you can do the same using "stats", but instead of 2 aggregation expressions you would use 4 with an "eval" condition, as follows:
stats
sum(eval(if(CALLNAME=="method-1",1,0))) as count_1,
sum(eval(if(CALLNAME=="method-2",1,0))) as count_2,
avg(eval(if(CALLNAME=="method-1",CALLDURATION,null()))) as duration_1,
avg(eval(if(CALLNAME=="method-2",CALLDURATION,null()))) as duration_2
by whatever_field
Hope this helps,
Yair Halevi (Spock)
... View more