Knowledge Management

Workflow - Anchor secondary search time ranges on event time

nclarkau
Path Finder

I have created a workflow through the GUI (the corresponding workflow_actions.conf is below).

The intention is to provuide the user with a similar action to "show source" which instead displays the application transaction that the event belongs to.

We have a macro search that can perform this search using two parameters (thread and host). And the workflow action triggers this search correctly.

The problem we have is narrowing the secondary search so only the transaction in question is displayed (at least a few extraneous are shown as possible). If the users original search is over 24 hours and they click on "Show transaction" then they get every transaction for 24 hours that matches the host and thread, which can be a very large number. Specifying a time range in the workflow setup does not work as it is relative to now.

Can we make the time range relative to the event that the workflow is triggered from? Or is there another way we could solve this?

[view_myapplication_transaction]
display_location = event_menu
eventtypes = myapplication_log_event
fields = *
label = Show transaction
search.app = MYAPP
search.earliest = -5m
search.latest = +5m
search.preserve_timerange = 0
search.search_string = `full_myapplication_transaction(thread=$thread$,host=$host$)`
search.target = blank
type = search
Tags (1)
1 Solution

nclarkau
Path Finder

Based on the answer from nick it seems that for now (4.1.3) there is no straight forward way to do this.

The workaround we found was to use nick's suggestion of adding a now= clause to the search string in the workflow action. This would be perfect if the format of the _time field was not being changed somewhere in the workflow action code. Since now can only take epochtime format the change of format (away from epochtime) was breaking the solution.

So the extra trick was to add an additional search command to some of the savedsearches/macros that we commonly use.

| convert mktime(_time) as start_time

The downside is that now the action is only available to events generated by these searches/macros. A limitation we hope can be fixed by some improvments to the workflow actions.

The resulting search string is

sourcetype=myapp* host=$host$ thread=$thread$ now=$start_time$ earliest=-10min latest=+10m | `make_myapplication_transactions`

The workflow_actions.conf entry is:

[view_myapplication_transaction]
display_location = event_menu
fields = transaction_time
label = Show transaction
search.app = MYAPP
search.preserve_timerange = 0
search.search_string = sourcetype=myapp* host=$host$ thread=$thread$ now=$start_time$ earliest=-10min latest=+10m | `make_myapplication_transactions`
search.target = blank
type = search

Notice that the earliest/latest modifiers are in the search string.

View solution in original post