topic Re: use of streamstats over transaction command in Knowledge Management

use of streamstats over transaction command

ips_mandar — Fri, 03 Apr 2020 06:25:46 GMT

I have below sample events-
type=2, time=04/03/2020 01:01:000
type=3, time=04/03/2020 01:16:000
type=3, time=04/03/2020 01:22:000
type=2, time=04/03/2020 02:20:000
type=4, time=04/03/2020 03:00:000
here I want duration which startswith="type=2" and endswith="type=3 OR type=4" without using transction command since using transaction query becomes very slow.
can I achieve above using streamstats?
Thanks,

Re: use of streamstats over transaction command

to4kawa — Fri, 03 Apr 2020 08:49:45 GMT

what's transaction id?
and in your sample, what's the durations?

Re: use of streamstats over transaction command

ips_mandar — Fri, 03 Apr 2020 10:02:56 GMT

transaction id is source and duration starts from type=2 until first type=3

Re: use of streamstats over transaction command

to4kawa — Fri, 03 Apr 2020 10:19:50 GMT

index=yours sourcetype=yours
| eval time=strptime(time, "%m/%d/%Y %T%1N")
| reverse
| streamstats count(eval(type="2")) as sessions by source
| stats range(time) as duration by sessions

I don't know your field extraction.
let's fix it.

Re: use of streamstats over transaction command

ips_mandar — Fri, 03 Apr 2020 10:38:10 GMT

Let me give you some brief detail-
type-2 means gps connection loss and type-3 means it is gps connection restored.
Now I want to know for how much duration gps was loss so start with type-2 and end with type-3.
But in data type-3 may come multiple times in consecutive and similarly for type-2.
and in one source those strings will multiple times and i want to calculate duration by source and within one source there can be may gps loss happened and i want all those loss duration.
Hope this helps to understand my query clearly.
I have just now designed one query which will work only if I select one source in start of query but it won't be working for all source using by clause and global=false in streamstats.

|streamstats range(_time) as duration reset_after="("match(Type,\"2\")")" global=f window=2 by source

appreciate your help.

Re: use of streamstats over transaction command

to4kawa — Fri, 03 Apr 2020 11:22:12 GMT

I see your situation.
please provide sample log.

Re: use of streamstats over transaction command

woodcock — Fri, 03 Apr 2020 11:48:37 GMT

Try this:

Index="YouShouldAlwaysSpecifyIndex" AND sourcetype="And sourcetypeToo"
| streamstats count(eval(type="3")) AS sessionID BY source
| stats range(_time) AS duration values(type) AS type BY sessionID
| search type="2" AND type="3"