Hi,
I have a log file with many events like below
2015-01-16 10:19:12 [APP1;STORE] Activated configuration 'Prod'
2015-01-16 11:29:13 [APP1;STORE] Activated configuration 'Test'
2015-01-16 12:30:51 [APP1;STORE] Activated configuration 'Prod'
2015-01-16 15:50:03 [APP1;STORE] Activated configuration 'No Data'
Each event indicates a configuration activation. so the time difference is the time the previous config was active.
I'm extracting these fields
Configuration: values can be Prod, Test, No Data
Application: values can be APP1,APP2
I want to calculate how long each configuration was active in APP1
-Sreerag
You could try this:
yoursearchhere
| sort _time
| delta _time as Duration
| table Application Configuration Duration
| eventstats sum(Duration) as AppDuration by Application
| fieldformat Duration=tostring(Duration,"duration")
| fieldformat AppDuration=tostring(AppDuration,"duration")
Does something like this work for you?
config_value=prod OR config_value=Test OR config_value=No Data
application=APP1 OR application=APP2
| delta _time as tdelta
| stats list(tdelta) by application