Hi,
03/22/2013 05:27:59.603 Message 1
03/22/2013 05:27:59.920 Message 1
03/22/2013 05:28:00.245 Message 1
03/22/2013 05:28:00.561 PROTOCOL 5
03/22/2013 05:28:00.876 Message
03/22/2013 05:28:01.202 FACTOR 6
03/22/2013 05:28:01.518 Message 9
03/22/2013 05:28:01.520 Message 9
I need duration between ("message 1" just before PROTOCOL 5) AND Message 9 just after FACTOR 6
but i have written query below like..
source="$SOURCE" |transaction startswith=("Message 1") endswith=("Message 9")|search ("PROTOCOL 5")|stats count perc95(duration) as VALUE
but that is not working because it is taking first message 1 timestamp value but i need just before PROTOCOL 5 message value.
Please let me know how to go ahead.
... View more