Hi,
I am trying to get response time between events using below query but for some reason i am not being returned any results. I assume it could be due to special characters in If statement. Can you take a look and let me know what is wrong?
index=* OR index=_* sourcetype=xxx.log | search interfaceName="xx" | eval Start_Time=if(message="START of receiving message - source = xxx , messageType = xx , correlationId = %correlationId%",_time,null()) | eval Finish_Time=if(message="END of receiving message (success) - source = xxx , messageType = xx , correlationId = %correlationId%",_time,null()) | transaction Rspns startswith="START of receiving message - source = xxx , messageType = xx , correlationId = %correlationId%" endswith="END of receiving message (success) - source = xxx , messageType = xx , correlationId = %correlationId%"| eval Response_Time=Finish_Time-Start_Time | stats values(interfaceName) as InterfaceName, avg(Response_Time) as Response by xxxx
... View more