Hello,
I'm trying to find the correct syntax to get the total time a device was in an alert status. The events have a start and stop time but occur multiple times. I've been able to get the total time of each occurrence which produces multiple rows, I want a single row indicating total time the device was in an alert status
index = base search
| transaction exporter_ip alarmID startswith=eval alarm_status="start") endswith=eval(alarm_status="end")
| eval duration = tostring(duration,"duration")
| eventstats sum(duration) by device_name |table device_name ,duration
oh so close but not close enough.
... View more