topic Re: How to restrict transaction to group events from the same source and the same host? in Getting Data In

How to restrict transaction to group events from the same source and the same host?

xinde — Wed, 28 Mar 2018 19:46:42 GMT

Search a same log file on many different hosts .
Use transaction : startwith and endwith to capture one process within this log file.
Show the duration of this process for each host/source

host="hosts"
| rex field=_raw "Process(?.*)"
| transaction ProcessName startswith="BEGIN" endswith="END"
| eval durationMin = round(duration/60,0)
| chart values(durationMin) by host
The search return - msg from different host/source got grouped together.
Is there a way to restrict transaction events only on same host/source?

Re: How to restrict transaction to group events from the same source and the same host?

richgalloway — Wed, 28 Mar 2018 21:05:31 GMT

Try using stats instead of chart.

host="*hosts*" 
| rex field=_raw "Process(?<ProcessName>.*)" 
| transaction  ProcessName startswith="BEGIN" endswith="END"
| eval durationMin = round(duration/60,0)
| stats values(durationMin) by host, source

If you share some sample events, we may be able to help you improve search performance by eliminating the transaction command.

Re: How to restrict transaction to group events from the same source and the same host?

xinde — Mon, 02 Apr 2018 20:18:39 GMT

stats by host , source works!! thanks very much!