If I run this search:
index=main sourcetype=Metrics MEASUREMENT_POINT_NAME = "Test" | stats avg(ELAPSED_TIME)
I get the expected average.
If I run the following search, I get the expected results of events where the ELAPSED_TIME field is less than 1.
index=main sourcetype=Metrics MEASUREMENT_POINT_NAME = "Test" ELAPSED_TIME < 1
But if I combine the two searches (looking for an average ELAPSED_TIME for events in which ELAPSED_TIME is less than 1):
index=main sourcetype=Metrics MEASUREMENT_POINT_NAME = "Test" ELAPSED_TIME < 1 | stats avg(ELAPSED_TIME)
I get 0 as a result.
What am I missing to achieve the desired results?
Thanks!
↧