Hi Folks,
How to calculate the time below scenario(same accno). Using transaction.
20160719T181321.405 GMT MESSAGE="RES" SNAME="DEMO" ACCNO="20161234"
20160719T181320.400 GMT MESSAGE="REQ" SNAME="DEMO" ACCNO="20161234"
20160719T181231.906 GMT MESSAGE="RES" SNAME="DEMO" ACCNO="20161234"
20160719T181230.902 GMT MESSAGE="REQ" SNAME="DEMO" ACCNO="20161234"
Current Search:
index=PQRST sourcetype=TEST SNAME=DEMO | rex "(?\d{8}T\d{6}\.\d{3})" | eval pe=strptime(pt, "%Y%m%dT%H%M%S.%f") | transaction SNAME startswith="REQ" endswith="RES" | eval duration = tonumber(mvindex(pe, -1)) - tonumber(mvindex(pe, 0))|table ACCNO,duration
Output:
ACCNO duration
20161234 1.05
20161234 1.04
Thanks,
P
↧