Hi there,
I am attempting to chart averages and means for field 'dur' and output these statistics in a column by 'activity'. However, my results keep showing up in the first row only with null values in the other rows.
This is the search I am using:
index="main" earliest="$timerange$" (activity="-call" OR activity="-proxy") | join Correlation_ID[search index="main" desc="$action_value$-*"]| stats count AS "Execution Count #" BY activity | rename activity AS "Individual Service" | eval corID=Correlation_ID
| appendcols[search index="main" activity="-call" earliest="$timerange$" | eval callDur=dur | join Correlation_ID[search index="main" activity="-proxy" | eval proxyDur=dur]
| join Correlation_ID[search index="main" desc="$action_value$-*"] | where isnotnull(callDur) | where isnotnull(proxyDur) | eval diffDur=proxyDur-callDur
| chart avg(callDur) AS "Average Call Time(ms)", avg(diffDur) AS "Average Proxy Time(ms)" BY activity ] | fillnull value=N/A
| appendcols[search index="main" activity="-proxy" earliest="$timerange$" | eval proxyDur=dur | join Correlation_ID[search index="main" activity="-call" | eval callDur=dur]
| join Correlation_ID[search index="main" desc="$action_value$-*"] | where isnotnull(proxyDur)
| where isnotnull(callDur) | eval diffDur=proxyDur-callDur
| chart mean(callDur) AS "Mean Call Time(ms)", mean(diffDur) AS "Mean Proxy Time(ms)" BY activity ] | fillnull value=N/A
| appendcols[search index="main" (activity="-call" OR activity="-proxy") earliest="$timerange$" | join Correlation_ID[search index="main" desc="$action_value$-*"] | chart eval(strftime(max(_time), "%Y-%m-%dT%H:%M:%S%:z" )) AS "Last Call (Date/time)" BY activity]
| fields "Individual Service" "Execution Count #" "Average Call Time(ms)" "Mean Call Time(ms)" "Average Proxy Time(ms)" "Mean Proxy Time(ms)" "Last Call (Date/time)"
Any help would be appreciated. Thank you so much!
... View more