I don't think the above answer will solve the problem, unless I failed to apply it properly.
Here comes more detailed info:
In my search clause I am able to limit the results to two types of events, the StartEvent which can occur many times, and the EndEvent that closes the "transaction". I need the duration between the earliest StartEvent and the EndEvent.
The events do not have a common field, but both do have a common email address, but with different labels/field names. With the transaction approach that failed due to using the latest event instead of the first event, the events were tied together by using a RegExp Field Extraction.
If I search for a specific email address I can get the duration like this:
search terms finding exactly 1 transaction (by entering a unique email address) | stats earliest(_time) AS start latest(_time) as stop | eval durationSeconds = stop - start | stats max(durationSeconds) as max
But when not searching for a specific unique email address the duration is calculated for all the transactions.
How do I solve this if I want the duration for 1000s of individual transactions, if I cannot use the transaction command?
The end goal is to be able to graph the response times over time (per transaction), with for example "timechart avg(duration)".
I hope I was able to explain my need 🙂
... View more