In my situation I have "Web Requests" events, which I group in transactions with the following search:
sourcetype="WEB Request"
| eval request_date=_time
| transaction user maxpause=10m startswith="logged in" mvlist="request_date"
I now have every request's absolute date, in order. And I would like to compute a multi valued field that would represent the offset of each request date compared to the session date.
Basically, if the field was not multivalued, I could complete the search with something like:
| eval request_time_offset=request_date - _time
But the field is multivalued, and I am not sure how to proceed.
... View more