| eval end_time=strptime(date." ".end_time, "%F %T.%Q") | eval start_time=strptime(date." ".start_time, "%F %T.%Q") | rex field=EVENT_MESSAGE "Processing completed for event with correlationId: (?\w+), at: (?\d+:\d+:\d+\.\d+)"
| rex field=EVENT_MESSAGE "Processing event with correlationId: (?\w+) at: (?\d+:\d+:\d+\.\d+)" However, the simple math/rex option is the easiest is a working example of your data and using stats to find duration | makeresults stats is generally faster and has fewer issues. If you are using the 'transaction' command, then that has its own set of issues to consider and it's always good to try to avoid using transaction. This handles the day wrap and the 'event_is_X' construct is simply your way to determine if this is the start or end event. | stats values(start) as start values(end) as end by Id If each event has a common ID then the simplest thing to do is to | eval start=if(event_is_A,millis,null) The question is - how have you established the two events (A and B) as being the ones used to establish the duration. You can convert the values to time integer values with | eval t1=strptime(time1, "%H:%M:%S.%Q")īut that will then give t1 as a representation of 'today' and that time including any time zone relevance, so if you have two times whereĪnother option is to simply rex the field like this | rex field=time_field "(?*):(?*):(?*)\.(?\d+)"
0 kommentar(er)
