I have a search where I'd like to show the duration of the order.
My search below almost gives me that, but the start_time and end_time are showing as the same, giving duration a value of 0.000
Here is my search:
index=cg sourcetype=esb_audit esb_top_level=1 NOT bp_bp_name="*Task" svc_context_name="$svc_context_name$" | stats min(_time) as start_time, max(_time) as end_time, earliest(status) as start_status, latest(status) as exit_status, first(other) as exit_message, last(total) as total by svc_context_name, _time |eval duration = (end_time-start_time) |convert ctime(start_time) |convert ctime(end_time) |search exit_status="SUCCESS" |table svc_context_name, start_time, end_time, start_status, exit_status, exit_message, duration
I've also tried doing ...|stats earliest(time) as start_time, latest(time) as end_time, etc...| But I get the same results.
Is there a way to modify this search to get more accurate start/end time values?
Thanks!
See my updated answer on your other question here. Does this help?