- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I have two event 1 index= non prod source=test.log "recived msg" | fields _time batchid
Event 2 index =non-agent source=test1log "acknowledgement msg" |fields _time batch I'd
Calculate the time for start event and end event more then 30 sec
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
(index= non prod source=test.log "recived msg")
OR (index =non-agent source=test1log "acknowledgement msg")
| eval which=if(match(_raw, "received msg"), "received", "acknowledged")
| stats range(_time) dc(which) AS whiches BY batchid
| where whiches>1 AND range>30
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
(index= non prod source=test.log "recived msg")
OR (index =non-agent source=test1log "acknowledgement msg")
| eval which=if(match(_raw, "received msg"), "received", "acknowledged")
| stats range(_time) dc(which) AS whiches BY batchid
| where whiches>1 AND range>30
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
index= non prod source=test.log "recived msg")
OR (index =non-agent source=test1log "acknowledgement msg")
| eval which=if(match(_raw, "received msg"), "received", "acknowledged")
| stats vaules (_time) as start time as max(_time) as
Endtime values(which) as msg by batch Id
Getting below result
Batchid msg
Bid123. Received msg
Bid23345. Received msg
acknowledged
I required the only which batchid having recived msg and acknowledged those count duration> 30 sec
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You have been given a couple of options as to how to find the batches which exceed 30 seconds. You appear to have adopted neither one. Perhaps you should start by using one of the solutions?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I tried below query
index=x source type=xx "saved msg") OR (index=y source type=y " recived msg") | stats values(_time) as time values(actionid) as actionid values(batchid) as batchid by manid | eval duration = max(time) - min(time) | stats count count(eval(duration > 30)) as exceeded
Getting result count saved msg and received msg both
I required main I'd have multiple saved msg request but
We required bothr saved msg and received msg by manid
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
To be honest, your requirement is confusing as you keep changing field names etc. However, does this get you closer to what you are after?
(index=x source type=xx "saved msg") OR (index=y source type=y " recived msg")
| fields _time manid index
| eval received_time=if(index="y",_time,null())
| eval saved_time=if(index="x",_time,null())
| stats min(received_time) as received_time min(saved_time) as saved_time by manid
| eval duration = saved_time - received_time
| stats count count(eval(duration > 30)) as exceeded
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Assuming batchid uniquely identifies correlated events:
(index=non prod source=test.log "recived msg") OR (index =non-agent source=test1log "acknowledgement msg")
| fields _time batchid
| eval received_time=if(index="non prod",_time,null())
| eval acknowledged_time=if(index="non-agent",_time,null())
| stats values(received_time) as received_time values(acknowledged_time) as acknowledged_time by batchid
| eval elapsed_time=acknowledged_time-received_time
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Only displayed batch I'd column vaules recivedtime and acknowledgement time column getting empty vaules
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Please share more accurate representations of the events from both indexes and the search which is failing.
Please use a code block </> so that formatting information is not lost.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Start event
Index= nonprof source =mps-test | spath application="testapp" " saved msg" SVD | extract fields actionid ,batchid ,manid and status | table _time batchid manid actionid status
End event
Index=testprod sourcetypr=testlogs source=test eventhandler " test passed" "msg recived" | extract fields manid actionid | table _time manid actionid
Function
Calculate the diffe bw start event and end event grouped by manid. And count number mandate exceeding different above 30 seconds
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
OK so that looks like an approximation of your SPL, so what you need to do approximately, is group by manid.
If you provide a more accurate listing of your SPL searches, I might be able to be more specific!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Calculate the diffe bw start event and end event grouped by manid. And count number mandate exceeding different above 30 seconds
Based on above two event will perform the above condition
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
What you provided above are not events, they are approximations of the SPL searches you used to retrieve the events. If you want help, you need to provide information that is useful to those of us endeavouring to assist you, not just repeat what you have already said.