Hi,
I'm trying to create transactions from events like this:
Session opened: [some id]
Session closed: [some id]
For a single id I can just use a search like this:
some_id | transaction startswith="Session closed" endswith="Session opened" maxpause=30m
to find sessions that had a break of at most 30 minutes.
The session_id I'm searching with is an extracted field. How would I go about finding the count of these transactions (closed -> opened) per session_id ?
This is what I would like to get out:
session connection_breaks
-----------------------------------
session1 1
session2 5
session3 2
... View more