I have a query to retrieve how much time an specific 'event' takes to finish:
fields @timestamp, @message
| parse @message "[Id: *] *" as eventID, loggingMessage
| stats sortsFirst(@timestamp) as date1, sortsLast(@timestamp) as date2 by eventID
this returns a table like
I can do things like | display (date2-date1) to make some calculations but what I would really like to do is to group all of them and calculate the avg(date2-date1). So only one result should appear.
I've tried what other posts recommend but
| stats sortsFirst(@timestamp) as date1, sortsLast(@timestamp) as date2 by eventID, avg(date2-date1)
Results in bad syntax due to the 'by eventID'. But if I remove this, my query is not being grouped by eventID.
How could I get around this?
