I have the following events
----------
2019-09-20 01:39:25 INFO Listener processing event with message metal:AUD:ADJ
2019-09-19 23:58:27 INFO Listener processing event with message metal:USD:ADJ
2019-09-19 23:58:20 INFO Listener processing event with message metal:USD:ADJ
2019-09-19 23:19:30 INFO Listener processing event with message metal:AUD:ADJ
----------
These events are exactly same in pattern, and they only differ in timestamps (The events come in pairs). The timestamps are startTime and endTime. I am trying to summarise these events, by grouping the pair into one row, and calculating the duration.
So the output will look like this.
product | currency | type | startTime | endTime | duration
metal | AUD | ADJ | 2019-09-20 01:39:25 | 2019-09-19 23:19:30 | 5
metal | USD | ADJ | 2019-09-19 23:58:20 | 2019-09-19 23:58:27 | 7
I have began my query as follows:
source="*.log"
| rex field=_raw "message (?.*?):(?.*?):(?.*)"
| table Config Intent Currency RunType AccountingDate _time
I have tried both the transaction and stats function, yet in vain. Maybe I am not using them correctly.
Is there anyone who can give me an advice on this issue? Any help will be highly appreciated.
↧