Hi, I have messages in Splunk like:
{ [-]
id: ABC
message: test1
timestamp: 2017-08-07T16:38:38+00:00 }
{ [-]
id: BAC
message: test2
source: client
timestamp: 2017-08-07T16:38:38+00:00 }
These messages show up for each id. I would like to get duration between the first message "test" showing up and the second message "test2" by id. Maybe get the average duration for both messages showing up after tying each message to an id.
So basically, how can I get the average duration per ID How can I do that in Splunk?
For duplicate ids, I need to get the worst duration for that ID. So no duplicates. Thanks!
... View more