sorry im back here
|stats earliest(when) AS startTime latest(when) AS endTime by mainprocessname,ResourceID,Status
i cant get real time when i use earliest as start time ..
when= when the process start
any suggistions
here is my query
source="BP"
| eval t = when
| eval time =strptime(t,"%Y-%m-%d, , %H:%M:%S.%Q%Z") | dedup 1 sessionNumber sortby -time
|stats earliest(when) AS startTime latest(when) AS endTime by mainprocessname,ResourceID,Status | eval DurationSeconds=(endTime - startTime)
| eval startTime = strftime( strptime( startTime, "%Y-%m-%dT%H:%M:%S"), "%Y-%m-%d %H:%M:%S")
| eval endTime = strftime( strptime( endTime, "%Y-%m-%dT%H:%M:%S"), "%Y-%m-%d %H:%M:%S")
| table startTime,endTime , mainprocessname , ResourceID,Status
| rename mainprocessname as "Process" , ResourceID as "Runtime resource",startTime as "Start time", endTime as "End time"
... View more