I have a search that sorts events by a field (SYMBOL) . My issue is that I want to sum the duration between events by SYMBOL .
I have :
index=xxx sourcetype=yyy ..... | sort 0 SYMBOL, _time | streamstats range(_time) as duration window=2 | stats sum(duration) by SYMBOL
This is skewed by fact that when symbol changes (from A to B for eg), the time resets to start of my search period and this leads to a big time diff between last event of Symbol A and 1st event of Symbol B. I need to remove this diff or set to zero.
Any suggestions?
↧