using least and most recent to collect duration information

Comments

2 comments

  • Official comment
    Avatar
    Rick Jury

    Hi Scott, 

    each event has a two built in timestamps that are epoctime ms values _receipttime and _messagetime so you can do something like this:
    _sourceCategory=apache_access
    | parse regex "(?<ip_address>\d{1,3}\.\d{1,3}\.\d{1,3}\.d{1,3})"
    | min(_messagetime) as earliest, max(_messagetime) as latest by ip_address
    | latest - earliest as duration_ms 

    Comment actions Permalink
  • Avatar
    Scott Bauer

    This works the way I wanted it to.  Thanks very much for the help!

    0
    Comment actions Permalink

Please sign in to leave a comment.