Hello,
I am trying to find response time between events in different sourcetype but not able to figure out how to find time difference. For some it is coming correctly but for some value is coming negative , look like end time value is not coming correctly. Below is the search I am using. I need to find value based on common conversation ID and find avg by action. I tried with transaction but with conversation id is not having same value for all the events and transaction is not working.
index=A sourcetype="A_log4j" "Input Validation Passed" | rex "CONV_ID\s:\s(?.+)" | stats values(_time) as start by conversation_id | appendcols [search index=A sourcetype="B_log4j" "Outbound payload received" | rex "convId:\s(?[^/,]+)" | rex "action:\s(?[^/,]+)" | stats values(_time) as end by conversation_id,action] | eval diff=tonumber(start-end)| table conversation_id start action end diff.
For some : getting wrong value for subsearch and hence diff time is coming incorrectly. Please advise how I can find response time in this scenario.
Thanks much!!
↧