For the following events, I need to calculate the duration of all stepA to stepB. There are multiple pairs and there is no other step between stepA and stepB. The same for event pair stepC and stepD.
The result should be TotalTime = 11, stepABDuration =3, stepCDDuration =2
20150421 10:20:16 Step=stepStart, Tid=1111
20150421 10:20:17 Step=stepA, Tid=1111
20150421 10:20:18 Step=stepB, Tid=1111
20150421 10:20:19 Step=stepC, Tid=1111
20150421 10:20:20 Step=stepD, Tid=1111
20150421 10:20:21 Step=stepA, Tid=1111
20150421 10:20:22 Step=stepB, Tid=1111
20150421 10:20:23 Step=stepA, Tid=1111
20150421 10:20:24 Step=stepB, Tid=1111
20150421 10:20:25 Step=stepC, Tid=1111
20150421 10:20:26 Step=stepD, Tid=1111
20150421 10:20:27 Step=stepEnd, Tid=1111
Tried the following search and no result was returned.
| sort 0 TimeStamp
| streamstats current=f window=1 first(TimeStamp) as prev
| eval stepABDuration=if(Step="stepB", Timestamp-prev,0)
| eval stepCDDuration=if(Step="stepD", TimeStamp-prev,0)
| stats sum(stepABDuration) as stepABDuration by Tid
| stats sum(stepCDDuration) as stepCDDuration by Tid
| transaction TId
| eval TotalTime = duration
| table Tid, TotalTime, stepABDuration, stepCDDuration
Also tried the following and only the duration of 1st pair was returned and sum was incorrect.
|sort _time
|delta _time as StepTime p=1
|eventstats sum(eval(if(Step="stepB",StepTime,0))) as StepABTime,
sum(eval(if(Step="stepD",StepTime,0))) as StepCDTime by TId
|transaction TId
|eval TotalTime = duration
|table TotalTime, StepABTime, StepCDTime
... View more