Hi all!
Does transaction calculate duration per "transaction" or from the first event in the transaction to the last event in the last transaction (active - #1 to Inactive - #2)? I need to average the sum of all durations of EACH transaction.
sourcetype=app | transaction userA startswith=eval(active) endswith=(inactive) | stats avg(duration) | eval duration = tostring(duration,"duration")
userA active - #1 inactive - #1 (duration #1)
(Time of Inactivity is disregarded)
userA active - #2 Inactive - #2 (duration #2)
Sum = Duration #1 + Duration #2 = what I need
I couldn't find this in the docs. As a sub question how can I remove HH and SSS from the "tostring(duration, "duration") output? I don't need either field. Thanks everyone!