Hi,
I would want to know the current event and the after event of that particular current event.
1.First i would want to search for a particular number sequence 12345.
2.Then find the event that occurs right after it.
3.I want the result to have both the events.
4.index,source and sourcetype for both the events are same.
Example:
In the below set of data,
Srvcs.APIController - Start - [12345]
Srvcs.evntcontroller - service not found
Srvcs.APIController - attempting
Srvcs.APIController - Start - [12345]
Srvcs.errcontroller - invalid call
Srvcs.APIController - attempting
Result i want is
Srvcs.APIController - Start - [12345]
Srvcs.evntcontroller - service not found
And for the second set
Srvcs.APIController - Start - [12345]
Srvcs.errcontroller - invalid call
Kindly help me with this
Like this:
| makeresults
| eval raw="Srvcs.APIController - Start - [12345]
Srvcs.evntcontroller - service not found
Srvcs.APIController - attempting
Srvcs.APIController - Start - [12345]
Srvcs.errcontroller - invalid call
Srvcs.APIController - attempting"
| makemv delim="
" raw
| mvexpand raw
| rename COMMENT AS "Everything above generates sample events; everything below is your solution"
| streamstats count AS _serial
| eval _time = _time + _serial
| rename raw AS _raw
| sort 0 - _time
| reverse
| streamstats count(eval(searchmatch("[12345]"))) AS sessionID
| dedup 2 sessionID
| stats min(_time) AS _time values(_raw) AS events BY sessionID
This sounds like a job for transaction
.
index=foo source=bar sourcetype=baz | transaction startwith="12345" maxevents=2 | ...
But that doesnt seem to work.
I tried but it is showing some other event and not this