Hello everyone,
Seeking your help. I have logs where Transaction_ID is unique to transaction. Depending on each transaction there can be multiple action. But if there is an error there would be a log generated with Action=Error.
I have created two search
One for successfull creation of transaction:
`base_search` | search action=Error | timechart distinct_count(Transaction_ID) as Successfull
And for errors.
`base_search` | search action!=Error | timechart distinct_count(Transaction_ID) as Error.
I would like to simply display these two in one chart to see number of successfull events vs failed. What would be the best method to combine these two ?
Appreciate any guidance.
It is not clear what time value you want to chart so I have assumed the last time for the transaction, I have also assumed you want daily counts. Gather the actions per transaction, and set status based on whether "error" is one of the status for the transaction.
| stats values(actions) as actions last(_time) as _time by transactionid
| eval status=if(match(actions,"error"),"Error","Successful")
| timechart span=1d dc(transactionid) by status
It is not clear what time value you want to chart so I have assumed the last time for the transaction, I have also assumed you want daily counts. Gather the actions per transaction, and set status based on whether "error" is one of the status for the transaction.
| stats values(actions) as actions last(_time) as _time by transactionid
| eval status=if(match(actions,"error"),"Error","Successful")
| timechart span=1d dc(transactionid) by status