Hello all,
I want to make a kind of sliding maxspan on transaction.
What maxspan usually does in transaction is control time duration between a first event and a last one.
In my case, I want to group all the events if the duration between an event and the next one is less than 20s and so on.
See the example below:
00:00:01 A
00:00:12 B
00:00:23 C
00:00:45 D
00:00:47 E
In this case I want to group A with B and C, and another group with D and E.
By using transaction maxspan=20s, I will have A with B, and another group with C and another group with D and E.
Please help me 🙂
You can use maxpause
but you should avoid transaction
whenever possible so try this:
... | streamstats current=f nextTime = last(_time) | eval maxPause= coalesce(nextTime, _time) - _time | streamstats count(eval(maxPause>20)) AS sessionID | stats values(_raw) by sessionID
You can use maxpause
but you should avoid transaction
whenever possible so try this:
... | streamstats current=f nextTime = last(_time) | eval maxPause= coalesce(nextTime, _time) - _time | streamstats count(eval(maxPause>20)) AS sessionID | stats values(_raw) by sessionID
great Thanks !