I have this log that has three relevant fields:
- @timestamp
- EVENTNO (Event number)
- DEVICEID (Device ID)
I want to know how much time happens between the start and the end of something specific (start of that something: EVENTNO="300095", end of it: EVENTNO="300096"), so I created this EQL search:
GET /redbanc-proview/_eql/search
{
"query": """
sequence by DEVICEID with maxspan=3h
[any where EVENTNO == "300095"]
[any where EVENTNO == "300096"]
""",
"fields": [
{
"field": "@timestamp",
"format": "epoch_millis"
}
]
}
As result I got what I want: When a certain event starts (that's the one with EVENTNO 300095) and when it ends (EVENTNO 300096), great.
Now, I need how much time is between two events.
I transformed @timestamp into epoch_millis hoping that helps in the next step: subtract both @timestamp. I know EQL has subtract, so I was thinking soething like:
"runtime_mappings": {
"amount_of_time": {
"type": "time",
"script": "subtract(emit(doc['@timestamp'].value.event2,emit(doc['@timestamp'].value.event1)"
}
},
Of course this runtime mapping is totally made up, but is to get the idea.
Any ideas on how to do it?
And then, supposing I get that time... how could I put that into a visualization?