In my search I currently have
...| transaction startswith = "start" endswith = "end" maxspan = 10m | eval current = if(Data1 == "Curr", Data3, null) | timechart avg(duration) max(current)
My transaction is grouping events how I want them to, but the problem I have is with the eval search. Data1 essentially has a description of the type of data and Data3 has the value. I only care about the data when Data1 is "Curr" so if that case is true, then current should be the value of Data3. If not, then I don't care about Data3 so I set it to null.
(Note that each event has a Data1 and Data3 value so a transaction should have x number of Data1's and Data3's where x is the eventcount)
The goal of the search is to go through each event in a transaction and see if Data1 is "Curr" and to take note of the value and after going through each event in the transaction, to find the max value.
The problem I found is in the result of max(current)
If none of the events in a transaction has Data1="Curr", then there is no max(current) value which is what I am looking for.
But if there is then the max(current) value just finds the max of Data3 regardless of if that event is the one with Data1="Curr"
For example: if a log data has
Event2: Data1 = Curr, Data3 = 5
Event3: Data1 = Volt, Data3 = 10
My current search is outputting max(current) as 10 when I want it to be 5 since the 3rd event is not a Curr event so its Data3 value should not be counted when finding the max.
Any help will be appreciated!
The transaction command is making a multi-value field out of Data1, so it will always equal "Curr" in your if statement.
You should be able to fix this by moving your eval before your transaction.
| eval current = if(Data1 == "Curr", Data3, null) | transaction startswith="start" endswith="end" | timechart avg(duration) max(current)