I have the following table and even if some of the events don’t indicate the same minute, they are part of the same incident (in my example, the three lines at the top and the two lines at the bottom).
I’d like to know how to merge the lines with different timestamps, based on the following rule: events with no more than 2 minutes difference between them = one single event.
customer description status timedown
customer IP Switch DOWN 03/06/2015 15:53
customer IP Switch DOWN 03/06/2015 15:53
customer IP Switch DOWN 03/06/2015 15:51
customer IP Switch DOWN 03/06/2015 15:28
customer IP Switch DOWN 03/06/2015 15:28
customer IP Switch DOWN 03/06/2015 15:28
customer IP Switch DOWN 03/06/2015 14:38
customer IP Switch DOWN 03/06/2015 14:38
customer IP Switch DOWN 03/06/2015 14:38
customer IP Switch DOWN 03/06/2015 13:52
customer IP Switch DOWN 03/06/2015 13:51
I’ve been told that Transaction
was a CPU nightmare so I’d like if possible to avoid using it. I believe this can also be achieved with Stats
?
I do try to avoid transaction
whenever possible but your use case is a good fit so try this:
... | transaction maxpause=2m customer description
I do try to avoid transaction
whenever possible but your use case is a good fit so try this:
... | transaction maxpause=2m customer description