If there can be a significant difference between the first. The search is longer now, but you can figure all kinds of inter-transaction timing with this kind of search. If the second timestamp (timestampevent as you call it) is always going to be very close to regular timestamp in the beginning of each event, you should consider option 2, as its a simpler configuration, and will also let the transaction command calculate the duration automatically. The search is longer now, but you can figure all kinds of inter-transaction timing with this kind of search. | stats avg(Step_1_Completion) as Step_1_Completion_Average, avg(Step_2_Completion) as Step_2_Completion_Average, avg(Step_3_Completion) as Step_3_Completion_Average, avg(Step_4_Completion) as Step_4_Completion_Average | eval Step_4_Completion=Step_4_Time-Start_Time | eval Step_3_Completion=Step_3_Time-Start_Time | eval Step_2_Completion=Step_2_Time-Start_Time | eval Step_1_Completion=Step_1_Time-Start_Time | transaction UserName host startswith="STARTED" endswith="FINISHED" | eval Finish_Time=if(Status="FINISH",_time,null()) | eval Step_4_Time=if(Status="Step4_Complete",_time,null()) | eval Step_3_Time=if(Status="Step3_Complete",_time,null()) | eval Step_2_Time=if(Status="Step2_Complete",_time,null()) | eval Step_1_Time=if(Status="Step1_Complete",_time,null()) For example: index=citrix sourcetype="wts_log" | eval Start_Time=if(Status="STARTED",_time,null()) From your 2nd event on you will get for each event a timeSpentOnPreviousPage and totalTime field containing running time difference between events, and. From there, we automatically create a duration field that logs the. Assuming your list of events is in chronological order and belongs to a single user, you can try this: delta time as timeSpentOnPreviousPage accum timeSpentOnPreviousPage as totalTime. To calculate times within a transaction, you should eval the times before initiating the transaction, eval your time differences within each transaction, then use stats to find the time differences average or whatever you need. You should be able to use a transaction command that starts and stops with each event. I'm posting a new answer because I can't comment from my workplace for some reason.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |