I am trying to calculate statistics for when a transaction enters our application, and when the reply is sent from the application. I would like to calculate statistics over an hour and there are two key values that i use to find the events to caculate on (research and Locsite). Here is the query:
sourcetype="Filter" transactionType=A44 | stats min(_time) AS earliest max(_time) AS latest by research,Locsite | eval duration=latest-earliest
this query returns the duration of the transaction. this query is good enough most of the time but sometimes events with the same "research" and "Locsite" is returned more than two times within the time range of an hour, then the duration value will be calculated over too long time. So i would like my query to only look for events with the same "Locsite" and "research" within one minute, but calculate statistics over the whole timerange