Hey y'all,
I have a chart that takes transaction data from processes that run at different intervals. Most processes run once per day, but one runs once per week. The end goal is to show the duration taken for the process by taking the difference in the time stamps from the start event and end event. I want to be able to show all of the data in the same dashboard panel, and to do that I am trying to run a search that goes something like this:
index=google_search_appliance (("checkForOrphans") AND ("Checking for orphaned documents" OR "orphaned assets added to the transaction table"))
|eval pause_duration= if(process="connectweb","6d","23h")
|transaction process maxpause=$pause_duration$
|table process orphan_count duration pause_duration
Can I correlate an eval to a token like this or is it not possible?
Thanks!
↧