Hi,
I tried to use "transaction" command but I couldn't get what I wanted, I thought to ask the question here if somebody can give hint/solution
so I do have an application that output logs as follows
2012-08-23 19:36:19,612 INFO THR_ID=729108133 some message
2012-08-23 19:36:21,612 INFO THR_ID=729108133 some message
2012-08-23 19:36:22,612 INFO THR_ID=729108133 some message
2012-08-23 19:36:25,612 INFO THR_ID=729108133 some message
etc
I would like to write a search that gives me the duration between each two logging lines for the saem THR_ID, so in this scenario I should see somthing like
Duration
2
1
3
any ideas how to accomplish this?
Thanks,
Firas
Sure,
I looks like you should check the delta
command, and use it on the built-in _time
field. Something like this.
your_search | sort THR_ID, _time| delta _time as t_diff | table t_diff, THR_ID, whatever_else_you_want_to_show_from_the_event
UPDATE: forgot that you'd need to sort on THR_ID in order to get correct results. Oops. Fixed that.
Hope this helps,
Kristian
Sure,
I looks like you should check the delta
command, and use it on the built-in _time
field. Something like this.
your_search | sort THR_ID, _time| delta _time as t_diff | table t_diff, THR_ID, whatever_else_you_want_to_show_from_the_event
UPDATE: forgot that you'd need to sort on THR_ID in order to get correct results. Oops. Fixed that.
Hope this helps,
Kristian
thanks, the delta will get me what I wanted.
updated /k