I'm running a query for a 1 hour window. I need to group events by a unique ID and categorize them based on another field. I can do this with the transaction and timechart command although its very slow.
transaction keepevicted=true UniqueID | timechart span="5m" limit=10 avg(duration) by myTypes
I'm trying to reproduce this output using stats but I need the data broken down into 5 minute intervals for each type of transactions. Here is what I have now that contains the final data I need. stats range(_time) as UniqueID_Durations first(_time) by myTypes UniqueID
I want to split this into a timechart using the first(_time) and have the time chart caclulate the average UniqueID_Duration for each myTypes.
I feel like it should be this, but it does not work.
stats range(_time) as UniqueID_Duration first(_time) by myTypes UniqueID | timechart span=5m avg(UniqueID_Duration) by myTypes .
Any suggestions?
... View more