sourcetype = abc | bucket span=1h _time | transaction user_ip destination_domain maxspan=20s maxpause=2s | stats count by duration destination_domain
This search renders duration for all fields as "0"
sourcetype = abc | transaction user_ip destination_domain maxspan=20s maxpause=2s | stats count by duration destination_domain
Whereas the above search gives the correct duration between the events. Any thoughts where I am going wrong?
Thanks