Hi All,
After doing some search, I got output as
x avg median
2017-01-11 12:16:00,[Process],D:\Program Files\local.Log 3 5
The output I need should be like
x avg median
2017-01-11 12:16:00,
[Process],
D:\Program Files\local.Log 3 5
Thanks.
Here is the search:
index=abs (source=*log*)
| rex "(?i)log\s(?\[\w+.\w+])" | rex "in\s+(?P\d+)\s+\ms" | rex "in\s(?\d+.\d+)\"
|eval seconds=(seconds/1000)
|eval seconds=coalesce(seconds,us)
| eval source=replace(source,"\d+\.log$",".log")
| table _time sourceMETHOD seconds
| bin _time span=1m
|eval _time=strftime(_time,"%Y-%m-%d %H:%M:%S")
|eval x=_time.",".METHOD.",".source
| stats median(seconds) as median by x source METHOD
| search METHOD="[Process]"
|eventstats count as Linecount sum(median) as Total
|eval average=Total/Linecount
|fields x average median
... View more