I've got some logs where a certain field ('randomletter') is normally X, but occasionally changes to Y (or even Z!)
I would like to get a list of all the instances, and for how long it was reported as not being X.
I was hoping I could just use the transaction
command to give me a list with the new field 'duration'.
search | transaction randomletter | search NOT randomletter="X"
This of course doesn't give me what I want though... it groups huge swathes of events together, consecutive or not. Talking about 'consecutive', the 'connected' parameter gave me a glimmer of hope but that doesn't do it..
In the end, I'm looking for a list of times based on consecutive events where 'randomletter' did not change, as well as a duration of that 'not-changingness'.
Anyway, hopefully a simple question, someone must have done it before! Anyone any ideas? 🙂
... | streamstats window=2 current=t
first(randomletter) as newletter
last(randomletter) as prevletter
| where newletter!=prevletter
| streamstats window=2 current=t
first(_time) as changedtime
| eval duration=changedtime-_time
| table _time,newletter,duration
I may have the duration offset by one, depending if you mean the duration the of the current letter, or the duration until the current letter changed.
... | streamstats window=2 current=t
first(randomletter) as newletter
last(randomletter) as prevletter
| where newletter!=prevletter
| streamstats window=2 current=t
first(_time) as changedtime
| eval duration=changedtime-_time
| table _time,newletter,duration
I may have the duration offset by one, depending if you mean the duration the of the current letter, or the duration until the current letter changed.