With the following query I get the stats about Requesttime, Responsetime and Request-Responsetime (diff) of a specific id:
(index=something "Request") OR (index=something "Response")
| rex field=_raw "id\":\"(?<id>[a-z0-9-]+)"
| table _time id
| stats min(_time) as Requesttime, max(_time) as Responsetime, range(_time) as diff by id
What I now want to get is a timechart with the average diff per 1 minute.
I tried to replace the stats command by a second table command and by the timechart command but nothing did the job.
Note: Requesttime and Reponsetime are in different events.
I found a solution:
(index=something "Request") OR (index=something "Response")
| rex field=_raw "id\":\"(?<id>[a-z0-9-]+)"
| stats earliest(_time) as earliestTime latest(_time) as latestTime by id
| eval duration=latestTime-earliestTime
| eval _time=earliestTime
| timechart span=1m avg(duration) as avgRequestResponseTime
| fillnull value=0 avgRequestResponseTime
| eval avgRequestResponseTime=round(avgRequestResponseTime,4)