EQL Sequence and elapsed time calculation

With EQL is easy to identify when a process was executed/started and when it did finish.
Is there a way to calculate the elapsed time of the execution inside the EQL query?

Or is it better to use an external tool to process the response and perform those calculations? Is there another feature that could be used in this use case, like watchers or metric aggregations? Data volume is very big, millions of entries, but very small doc size.

It is, EQL will give you the documents that match your sequence query, but won't do operations on these docs.

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.