I am trying to get average response time without the transaction command. Events are running into millions, so the search takes a lot of time.
Here is what I have:
index=myindex "string to match" | rex "messageId(?<myMsgId>[^\<]+)" | rex "refToMessageId(?<myMsgId>[^\<]+)" | rex field=_raw "(?<fldDay>[\d\-]{10}).*\s\[\s[a-zA-Z0-9\-\:\.]" | stats earliest(_time) AS startTime, latest(_time) AS endTime, count as TotalEvents by fldDay, myMsgId | eval responseTime=endTime-startTime
It should be simple, but I'm a novice here. How do I get the average of response time?
Thanks in advance.
... View more