topic Re: Search a particular source based on earlier search in Getting Data In

Search a particular source based on earlier search

prabhu_kar — Wed, 20 Mar 2013 19:41:56 GMT

Hi ,

I have user logs which are thousands in number per day. Iam trying to isolate users who had issues and then the issue went away.

It is akin to saying If I find a Error message like "unable to connect" in that particular user's file I want to find if he also got a "Reconnected" message. If it did not reconnect I want to pull those log files out or pull the rest of the log files. Each log file name has some pattern with which I can identify the user. Is there even a way for doing this ?

Thanks
Prabhu

Re: Search a particular source based on earlier search

martin_mueller — Wed, 20 Mar 2013 20:28:25 GMT

To rephrase, you're trying to test if a source contains "unable to connect" but not "Reconnected" afterwards? You could run something like this:

... ("unable to connect" OR "Reconnected") | eval disconnect_time = case(match(_raw,"unable to connect"),_time) | eval reconnect_time = case(match(_raw,"Reconnected"),_time) | stats max(disconnect_time) as disconnect_time max(reconnect_time) as reconnect_time by source | where disconnect_time>0 AND NOT disconnect_time <= reconnect_time

Re: Search a particular source based on earlier search

prabhu_kar — Thu, 21 Mar 2013 20:46:23 GMT

yes Martin , something similar. Trying this idea out and see how it goes ..