I am having two types of events that I am interested in - one that says something about usage flows of a mobile app, the other if the app has crashed. I would like to find what type of usage patterns that leads into a crash x minutes before the crash happens - for all crashes.
In order to do so I have this query to see usage 5 mins prior to crash log is uploaded:
my_indexes type=some_mobile_brand [search my_indexes type=some_mobile_brand SM_C.key=CrashUploaded | fields userId] | transaction userId endswith=CrashUploaded maxspan=5m | stats values(userpattern)
Now, I have a problem that after a crash it takes some time before the CrashUploaded metric is sent and I would like to filter out userpatterns AFTER the crash but BEFORE the CrashUploaded metric got sent.
In all events there are a sessionId that is distinct for each active session (only changes when the app restarts). So I need to be able to filter out all userpatterns that has the same sessionId as the CrashUploaded event. However, I am unable to find a good way of doing it without also filtering out the CrashUploaded metric.
Any way I could keep the CrashUploaded event, but filter out all events with the userpattern value with the same sessionIds as the CrashUploaded events?
There are possibly a couple of ways of doing this, however I think you could start by searching for crashes, taking the sessionId and then searching all activity for that sessionId:
Looking at the query you have above, it looks like you might already be taking this approach but using the userId
instead of sessionId
? Perhaps I got the wrong end of the stick?
By "filtering out" I mean removing 🙂 I understand it was confusing. What I want to end up with are the user actions where sessionId!=(sessionId of CrashUploaded events)
Ah okay, If you want to exclude sessions where the app crashed then I think the below might help?
my_indexes type=some_mobile_brand NOT [search my_indexes type=some_mobile_brand SM_C.key=CrashUploaded | fields userId] | transaction userId maxspan=5m | stats values(userpattern)
Not totally there yet as this gives me all user actions that did not end with a crash - but what I want is all user actions that ended with the crash (restart of the app), but exclude the user actions that happened after the crash to when the event with field CrashUploaded was sent.
I believe I found the way to do this:
my_indexes type=some_mobile_brand [search my_indexes type=some_mobile_brand SM_C.key=CrashUploaded | fields userId] NOT ( [search my_indexes type=some_mobile_brand SM_C.key=CrashUploaded | fields sessionId] AND SM_C.key!=CrashUploaded)| transaction userId maxspan=5m | stats values(userpattern)
Thanks, but I see I might not have been totally clear. What you suggest would give me the user activity AFTER the app has restarted. What I want is ONLY the user activity BEFORE the app restarts, so I want to exclude user activity where the sessionId
s are the same as CrashUploaded.