Hi,
I'd like to calculate the average latency (_indextime-_time) with the tstats command, but I can not make it work:
| tstats avg(_indextime-_time) where (index=* OR index=_*) by index
Splunk thinks "_indextime-_time" is a field name. How can I compute the difference in the tstats?
Thank you
↧