I have the query with stats, and I want to use head command to retrieve limited events for everyday. But head command is limiting the events for whole query.
index=myindex "searchQuery" | rex "\<messageId\>(?<myMsgId>[^\<]+)" | rex "refToMessageId\>(?<myMsgId>[^\<]+)" | rex field=_raw "(?<fldDay>[\d\-]{10}).*\s\[\s[a-zA-Z0-9\-\:\.]" stats earliest(_time) AS startTime, latest(_time) AS endTime, count as TotalEvents by fldDay , myMsgId | eval responseTime=endTime-startTime | where TotalEvents = 2 | stats avg(responseTime) as avgResponseTime by fldDay
↧