I have a dashboard query that returns fields of a log file, and I'm only interested if the difference in time between two entries is larger than a minute.
Query:
host=Host source="Filepath" "Starting" OR "Completed" earliest=@d-9d-8h | reverse
Dashboard example.
Status 3/18/2016 7:53:47 PM: Starting
Status 3/18/2016 7:53:48 PM: Completed 0.23s.
Status 3/18/2016 7:58:56 PM: Starting
Status 3/18/2016 8:31:29 PM: Completed 1953.33s.
Status 3/18/2016 8:37:11 PM: Starting
Status 3/18/2016 8:37:11 PM: Completed 0.35s.
So, from 7:58 to 8:31, I would need to see both the "Starting" and "Completed" lines, but the rest of it can go. I've looked at a couple other questions and they didn't exactly have what I needed. Can anyone help me with this?
↧