I have created two event types from logs to capture messaging events received and processed, having same contextId; from which I am trying to chart the duration of time taken to process an message by contextId. But the time is in milliseconds which does not work with timechart and it displays zero.
I tried the following
1. eventtype="Message Received" OR eventtype="Message processed" | timechart span=30mins range(_time) by contextId WHERE max in top10
2. eventtype="Message Received" OR eventtype="Message processed" | transaction range(_time) as duration by contextId | chart range(_time) by contextId
3. eventtype="Message Received" OR eventtype="Message processed" | timechart span=30mins range(_time) by contextId WHERE max in top10 | convert ctime(_time)
what is working,
eventtype="Message Received" OR eventtype="Message processed" | stats range(_time) as durationms by contextId | eval duration = durationms/1000 - But not want eval column and also want to bucket in every hour
But actually requirement is timechart top 50 message processing events (contextIds) which has taken more than 1 sec in milliseconds in every hour.
My observation is, stats and transactions do not work in range(evaled fields). Neither bucket produces correct result. If I bucket range function for 30 mins it results the _time as 1800 secs
... View more