I am trying to add to the search below so that I can get a cumulative total of the elapsed time calculation. I want one line for each store and Stall with a count of each disconnect that occurred and a sum of the elapsed time.
index="stalldisconnected_trace_index" Store=1004 | eval it = strptime(StartTime, "%Y-%m-%dT%H:%M:%S.%3N") | eval ot = strptime(EndTime, "%Y-%m-%dT%H:%M:%S.%3N") | eval ElapsedTime = tostring((ot - it), "duration") | Table Store,Stall,ElapsedTime
I have this search that gives me the count of the disconnects by store and stall
index="stalldisconnected_trace_index" | Stats Count(Stall) as Disconnects by Store,Stall |Sort -Disconnects,Store,Stall | Head 20
Try something like this
index="stalldisconnected_trace_index" | eval it = strptime(StartTime, "%Y-%m-%dT%H:%M:%S.%3N") | eval ot = strptime(EndTime, "%Y-%m-%dT%H:%M:%S.%3N") | eval ElapsedTime = (ot - it) | stats Count(Stall) as Disconnects sum(ElapsedTime) as ElapsedTime by Store,Stall |Sort -Disconnects,Store,Stall | Head 20 | eval ElapsedTime = tostring(ElapsedTime, "duration")
Try something like this
index="stalldisconnected_trace_index" | eval it = strptime(StartTime, "%Y-%m-%dT%H:%M:%S.%3N") | eval ot = strptime(EndTime, "%Y-%m-%dT%H:%M:%S.%3N") | eval ElapsedTime = (ot - it) | stats Count(Stall) as Disconnects sum(ElapsedTime) as ElapsedTime by Store,Stall |Sort -Disconnects,Store,Stall | Head 20 | eval ElapsedTime = tostring(ElapsedTime, "duration")
somesoni2, that almost worked. The ElapsedTime is blank. That is the issue I was having when I tried to make it figure it out on my own.
Got the issue. You're converting the ElapsedTime is converted to string before stats causing it to fail during sum. Try the updated answer.
Thanks, that worked like a champ!