topic Re: time range customization in Getting Data In

time range customization

20065945 — Tue, 30 Sep 2014 13:56:13 GMT

I have an xml file. Over which i m performing searches. the result i m getting is in this form

        Text                                                     Date
1       Application: AVA failed        2014-01-24 14:21:53.50
                   Application: AVA started     2014-01-24 14:49:20.54

2          Application: AVA failed        2014-01-24 14:05:38.51
                  Application: AVA started  2014-01-24 14:20:17.71

3          Application: AVA failed       2014-01-24 14:04:42.00
                  Application: AVA started  2014-01-24 14:05:34.74

in this Application: AVA failed and Application: AVA started should be counted as 1 event if the difference between their occurrence time is 3 min. How can we evaluate the the time difference and how can we extract the minutes from the Date field?

any sort of help over this welcome.....Thanks in advance.

Re: time range customization

somesoni2 — Tue, 30 Sep 2014 15:13:56 GMT

You're getting 6 events in total (in your example) or 3 events only? Also, could you post your search query?

Re: time range customization

20065945 — Wed, 01 Oct 2014 04:16:08 GMT

These are three events. Each event gives two things the start text and the failed text.

For this result i have used the following query

sourcetype=test| transaction startswith="Application: AVA started" AND endswith="Application: AVA failed" | sort Date

Re: time range customization

markthompson — Wed, 01 Oct 2014 08:04:55 GMT

Try sorting by the DAY not the DATE, what this is doing is restructuring the 'transaction' hence it being in the wrong order for you.