index=UAT_Ncache_UserSearchesInfo OR index=UAT_Ncache_BookingInfo | eval date=substr(date,1,16) | transaction maxspan=10m searchid Given that you seem to be able to group these on searchid, try this using transaction. The docs on Join even point this out and give alternates for other possible ways to do this. Join is a wonderful command, but 95% or more of the time it's not needed and is practically always the slowest way to do something. That should then do what you want, try it and let us know! You can leave that off it it'll always be very small numbers. The eval duration=d1-d2 subtracts the two to get your duration, then the last statement just reformats the duration to be something other than seconds. seconds) which makes them easy to subtract. The two strptime things convert the date/time strings into epoch times (e.g. Now, I think every single time I write these I get my subtraction backwards, so just change duration=d1-d2 to duration=d2-d1 if necessary. | eval duration=tostring(duration, "duration") index=UAT_Ncache_UserSearchesInfo searchid="8e0aa7bf-9346-453b-870d-2639e7c8d287" | eval date=substr(date,1,16) | fields date,searchid | join type=outer searchid
Note it got long enough I busted my additional parts into separate lines.
Now, while I say that it's that simple, it probably isn't because you'll likely need to convert those text-type date/time strings into something easier to add and subtract with and convert it back into something readable. index=UAT_Ncache_UserSearchesInfo searchid="8e0aa7bf-9346-453b-870d-2639e7c8d287" | eval date=substr(date,1,16) | fields date,searchid | join type=outer searchid | eval duration = date-endtime Actually three - one using your search that won't work, one that should, then one that's 173.54 times as fast 1.įirst, using your search you simply need to add an eval to create the new field after your join. Two answers: one using your search, then another that should end up 173.54 times as fast 1.
0 kommentar(er)
