Thanks for your reply. My First query as follows: It will capture the EventStartTime index=XX cf_org_name=YY event_type=LogMessage cf_app_name="*-Envtname*" | spath "msg.message" | search "msg.message"="*ProductID*" | spath "msg.message" | search "msg.message"!="*ACTIVITY.LOG.IMPORTS*" | spath "msg.level" | spath cf_app_name | search cf_app_name="*Servicename*" | spath "msg.message" | search "msg.message"="*Request Initiated*" rename msg.@timestamp as EventStartTime |table cf_app_name, EventStartTime, msg.message My Second query as follows: It will capture the EventEndTime index=XX cf_org_name=YY event_type=LogMessage cf_app_name="*-Envtname*" | spath "msg.message" | search "msg.message"="*ProductID*" | spath "msg.message" | search "msg.message"!="*ACTIVITY.LOG.IMPORTS*" | spath "msg.level" | spath cf_app_name | search cf_app_name="*Servicename*" | spath "msg.message" | search "msg.message"="*Request Fulfilled*" rename msg.@timestamp as EventEndTIme |table cf_app_name, EventEndTime, msg.message As of now, I have executed my first and second queries sequentially and able to capture the start and end time. Need to capture the Start and End time in parallel and measure the difference between Start and End time. Duration=EventEndTime-EventStartTIme. Would it be possible to help me here? Let me know if you are need of any additional details.
... View more
