![]() This creates a new event for every distinct value of phaseTime. Now expand your transaction based on the phaseTime. | transaction tx_id startswith="FPA" endswith="FUS" mvlist=phaseTime | search credit_bureau. This will keep phaseTime in the correct order. Next, create your transaction, being sure to set the mvlist option for the field we just created. First create a field that contains the phase of the transaction and the time so that we can work with this later: host=dtsever01 source=/tmp/messages.log sourcetype=messages tx_id=* | eval phaseTime=mvzip(tx_state,_time) Here is the full search: host=dtsever01 source=/tmp/messages.log sourcetype=messages tx_id=* | eval phaseTime=mvzip(tx_state,_time) | transaction tx_id startswith="FPA" endswith="FUS" mvlist=phaseTime | search credit_bureau | mvexpand phaseTime | rex field=phaseTime "(?.*),(?.*)" | streamstats current=f window=1 last(tx_phase_time) as prevTime by tx_id | eval elapsedTime=if(isnull(prevTime),null(),tx_phase_time - prevTime) | chart avg(elapsedTime) avg(duration) by tx_id tx_phaseĪnd here is the search broken down by each step explaining what's happening.You can do this using mvlist, mvexpand and streamstats. ![]() My goal is to get a timechart that shows the time it took between the tx_state's by tx_id. | stats avg(MLS_Completion) as MLS_AVG, avg(DSS_Completion) as DSS_AVG, avg(FUS_Completion) as FUS_AVG, avg(Total_Time) as Total_Time by tx_id "" | transaction tx_id startswith="FPA" endswith="FUS"| search credit_bureau | eval FUS=if(tx_state="FUS",_time,null()) | eval DSS=if(tx_state="DSS",_time,null()) | eval MLS=if(tx_state="MLS",_time,null()) | eval FPA=if(tx_state="FPA",_time,null()) I have found that the following search will produce the time differentials between events, but only if there are exactly these 4 events in a transaction: host=dtsever01 source=/tmp/messages.log sourcetype=messages tx_id=* ** host=dtsever01 source=/tmp/messages.log sourcetype=messages tx_id=* | transaction tx_id startswith="FPA" endswith="FUS" Is there a way to track the time it took to go from one event to the next within a transaction based on how long it took to go from tx_state to the next tx_state? Currently my search is as follows. Each transaction will have any number of values for tx_state until the transation is completed. Each successful transaction will begin with the field tx_state=FPA and end with tx_state=FUS. I am using the transaction command to group transactions on the field tx_id.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |