Hi,
Hi everyone. I need to find out the duration between two events in the same field. My table is like this:
user entry type timestamp
raju in epochtime
raju out epochtime
help me guys ....thanks in advance
Try like this. The chart command should create fields with same name as values in the field "entry type". The same field names will be used to calculate duration. If the values for the field "entry type" are not 'in' and 'out', you'd need to update those in line 3.
your current search giving fields user "entry type" timestamp
| chart values(timestamp) over user by "entry type"
| eval duration=out-in
| table user in out duration
Try like this. The chart command should create fields with same name as values in the field "entry type". The same field names will be used to calculate duration. If the values for the field "entry type" are not 'in' and 'out', you'd need to update those in line 3.
your current search giving fields user "entry type" timestamp
| chart values(timestamp) over user by "entry type"
| eval duration=out-in
| table user in out duration
Can you check if either of these works:
If every userName data exists only once for in and out events so that we can use username to group all the activities from "in" to "out" as transaction events user did, then use:
index=yourIndexyour sourcetype=yourSourceType "entry type"="in" OR "entry type"="out"
| transaction user
| table user, duration
Above also assumes the timestamp are of same format.
If username data exists for more than one in and out events where user might have come in and gone out more than once they try this:
index=yourIndexyour sourcetype=yourSourceType "entry type"="in" OR "entry type"="out"
| sort user, timestamp
| autoregress user as newUserName p=1
| autoregress timestamp as newTimeStamp p=1
| eval durationTime=(timestamp-newTimeStamp)
| eval userDuration=if( user=newUserName AND 'entry type'="out"), durationTime, 0)
| table user, userDuration | where userDuration > 0
Based on the userDuration values you can accordingly divide by 60, 3600 etc. to get the userDuration in the format you like.
Can you check if your user, event type and timestamp fields are called "user", "event type" and "timestamp"?
The only reason all values will come in one column is if transaction
command is being done on a field which has the same value for all the events in your data, say something like "userType=visitor" where all users are visitors and we did |transaction userType
am getting the whole users results in a single column.but i want individual person duration
i need like this
user duration
raju 10 sec
rani 11 sec
like this ...........
thanks