I would like to calculate the duration between the last two events in a transaction. An example transaction looks something like:
2015-12-31 13:03:03,695 Outgoing UserId="99999999999" MsgType="Menu" Internal="START"
2015-12-31 13:03:15,437 Incoming UserId="99999999999" MsgType="Refresh"
2015-12-31 13:03:19,847 Incoming UserId="99999999999" MsgType="Key" Key="1"
2015-12-31 13:03:20,238 Outgoing UserId="99999999999" MsgType="Menu"
How can I calculate the duration between last Incoming and last Outgoing events?
Try something like this... This is untested, so you will have to tweak to your data
First extract Incoming and Outgoing into a field, say dir
.... | rex "\b(?<dir>[Outgoing|Incoming]+)\b"
Then add a serial number to both directions.. like this
| streamstats count by dir
Then sort by dir to group Incoming with Outgoing
| sort dir
Finally use the range command to get the time difference
| streamstats range(_time) as diff by dir
This should give you some idea as to get what you need
Try something like this... This is untested, so you will have to tweak to your data
First extract Incoming and Outgoing into a field, say dir
.... | rex "\b(?<dir>[Outgoing|Incoming]+)\b"
Then add a serial number to both directions.. like this
| streamstats count by dir
Then sort by dir to group Incoming with Outgoing
| sort dir
Finally use the range command to get the time difference
| streamstats range(_time) as diff by dir
This should give you some idea as to get what you need