I am trying to look for data (from a few different log files) between a pair of Start Event and End Events in one related Log file.
Clearly, this is wrong, but I can not understand how to think as Splunk does- any help here would be appreciated.
start searching from Start Event
index=_* OR index=* | eval EventType=case(match("^Tender"),"Start" | sort 0 _time | search EventType="Start"
index=_* OR index=* | transaction TransactionId PaymentId CheckNumber | eval duration=round(duration,3) | table sourcetype _time TransactionId PaymentId duration Info
Search to you find the End Event
index=_* OR index=* | eval EventType=case(match(Info, "PrintIntercept\:\:PrintXML finished"),"End") | sort 0 _time | search EventType="End"
You'll need to provide some more context in order to receive any sort of meaningful responses. Some sample data would help (sanitize it if you need to) a LOT. Even your description is ambiguous:
You're looking for data (from a few different log files) ... In one related log file <--- Which is it? A few different log files, or one log file?
Be as detailed as you can, even over-explaining, and you're more likely to get answers back.
I think must be having some field or fields that is/are helpful to group these events. You can use
stats command which will help you to group the events and to apply any operations on those grouped events.
Feel free to ask further questions if you have any.
Let me try to break down what I am going after:
Step One -
Jun 06, 11:11:22.541100 xxxxxx"Tender,10048 [Active win:, 002B05D4],"OK",(762,579)" --- This Event marks the Start of my search for the following events sequentially between start and end points. )
Step Two - Find this multiline string and treat it as One Event from a different log file
2019-05-15 10:08:37,710 ........... - Enqueuing interaction (end of line) TransactionInf...... TransactionId=(?<TransactionIdId>.+)end of line) CmdInfo=[TerminalId=3, OriginalTerminal=|null|, TableId=3145754, CheckId=3145755, CustomCommand=|null|, ScreenType=NotSet](end of line) PaymentInfo=[PaymentId=(?<PaymentId>\d+) ........Reference=, LastCompletionRefID=]](end of line)
2019-05-15 10:08:37,710 -- next event - that marks the end of above event if needed.
Step Three Run this query untill Step 4 - TransactionId PaymentId are referenced from Step 2
| transaction TransactionId PaymentId | eval duration=round(duration,3) | table sourcetype TimeStamp TransactionId PaymentId duration Info
Step 4 Define End of Search Period
Jun 06, 11:11:38.492012, ....... "PrintIntercept::PrintXML finished"
Hope that explains what I am trying to accomplish.
Thanks for any suggestions.