Splunk: How to get a timechart regarding the extracted _time values for which range() was applied?

Question

With the following query I get the stats about Requesttime, Responsetime and Request-Responsetime (diff) of a specific id:

(index=something "Request") OR (index=something "Response")
| rex field=_raw "id\":\"(?<id>[a-z0-9-]+)" 
| table _time id
| stats min(_time) as Requesttime, max(_time) as Responsetime, range(_time) as diff by id

What I now want to get is a timechart with the average diff per 1 minute.

I tried to replace the stats command by a second table command and by the timechart command but nothing did the job.

Note: Requesttime and Reponsetime are in different events.

Answer 1

I found a solution:

(index=something "Request") OR (index=something "Response") 
| rex field=_raw "id\":\"(?<id>[a-z0-9-]+)" 
| stats earliest(_time) as earliestTime latest(_time) as latestTime by id
| eval duration=latestTime-earliestTime
| eval _time=earliestTime
| timechart span=1m avg(duration) as avgRequestResponseTime 
| fillnull value=0 avgRequestResponseTime
| eval avgRequestResponseTime=round(avgRequestResponseTime,4)

Answer 2

timechart requires the hidden field _time still exist - in this example, there is no _time field

So you're going to need to "fake" your timechart - or you're going to need to get _time back somehow or other

Something along these lines should work:

index=ndx ("Request" OR "Response")
| rex field=_raw "id\":\"(?<id>[a-z0-9-]+)" 
| stats min(_time) as Requesttime, max(_time) as Responsetime, range(_time) as diff by id date_minute
| stats avg(diff) as avg by id date_minute

(I took out the extraneous first | table line, as it slows the search down, and | stats will yield a table when it's completed)