using least and most recent to collect duration information
I'm trying to use queries against time stamps in milliseconds to help qualify duration of visits by a user by IP. My problem is I can't manage to parse out both least and most recent timestamps for the same ip without getting the _raw field error.
This query works to give me an early timestamp:
(_sourceCategory=apache_access
) | parse regex "(?<ip_address>\d{1,3}\.\d{1,3}\.\d{1,3}\.\S{1,32})"
| parse regex "(?<time_stamp>\d{2}\/\w{3}\/\d{4}:\d{2}:\d{2}:\d{2})"| withtime time_stamp | least_recent(time_stamp_withtime) as var by ip_address | parseDate(var, "dd/MMM/yyyy:HH:mm:ss") as milliseconds
But I can't seem to get the syntax right for extending this for a couple of values that I could eventually calculate the difference on. This query for instance, does not work
(_sourceCategory=apache_access
) | parse regex "(?<ip_address>\d{1,3}\.\d{1,3}\.\d{1,3}\.\S{1,32})"
| parse regex "(?<time_stamp>\d{2}\/\w{3}\/\d{4}:\d{2}:\d{2}:\d{2})"| withtime time_stamp | least_recent(time_stamp_withtime) as var | parseDate(var, "dd/MMM/yyyy:HH:mm:ss") as milliseconds | most_recent(time_stamp_withtime) as last_var by ip_address | parseDate(last_var, "dd/MMM/yyyy:HH:mm:ss") as last_milliseconds
-
Official comment
Hi Scott,
each event has a two built in timestamps that are epoctime ms values _receipttime and _messagetime so you can do something like this:
_sourceCategory=apache_access
| parse regex "(?<ip_address>\d{1,3}\.\d{1,3}\.\d{1,3}\.d{1,3})"
| min(_messagetime) as earliest, max(_messagetime) as latest by ip_address
| latest - earliest as duration_msComment actions
Please sign in to leave a comment.
Comments
2 comments