I've been looking around the forums, but nothing seems to quite cover what I need.
We are currently logging stats for a conference solution, which logs start and stops times. These can be grouped as transactions, and obviously I can sum the duration. The problem is that as this is a distributed conference solution, the same conference runs on multiple nodes/servers, but the transactions only relate to a single node/server. This means I could have two transactions for the same conference, (active on different nodes/servers).
In short, we need to know how long a conference is active over a given period (say 30 days) regardless of how many nodes/servers it is active on at any point.
My search to return transactions (grouped by node and conference) is below, I just can't see how to get the active time span:
index=vmr Name=administrator.conference Message="Conference has been created." OR Message="Conference has been stopped." | transaction Conference host startswith="Conference has been created." endswith="Conference has been stopped."
... View more