index=ccsp_test_was source="/usr/WASLogs700/cdhpws_uat*_/cdhpws/logs/application.log" "getProcedureDetailBlueChip" OR "getProcedureDetailBlueChipResponse"
AND "Outbound Message" OR "Inbound Message" OR "getProcedureDetailBlueChip response time returning procedure details" OR "memZipCode assigned to zipCode"
OR "provZipCode assigned to zipCode" OR "bnftAgrmtNbr" |rex "(?Inbound|Outbound)" |eval transfield=if(searchmatch("Outbound Message"),1,0) | accum transfield | transaction transfield | rex "ID:(?.)"
|rex "(?m)(?.)"|rex "(?m)(?.)"|rex "(?m)(?.)"|rex "(?.)" |rex "(?.)"|rex "(?.)" | rex "(?.)" | rex "(?.)" |rex "(?.)" |rex "(?.)"|rex "(?.)"| rex "(?.)"|rex "(?.)" |rex "provZipCode assigned to zipCode:(?.)"| rex "memZipCode assigned to zipCode:(?.*)"|stats max(_time) as startTime,min(_time) as endTime,values(info) as Info,values(ResponseTime) as responseTime,values(StatusCode) as StatusCode,values(message) as StatusMessage,values(CorpEntCd) as corpEntCd,values(costlvlpctl) as Costlvlpctl,values(CptCode) as cptCode,values(GroupNbr) as GroupNbr,values(MemZipCode) as memZipCode,values(procdchrgamt) as ProcChrgamt,values(ProvZipCode) as ProvZipCode,values(SectionNbr) as SectionNbr,values(ServiceDate) as ServiceDate,values(tretcatcd) as TretCatCd,values(tretcatname) as TretCatName,values(bnftAgrmtNbr) as bnftAgrmtNbr,values(acctNbr) as acctNbr,values(provassignZip) as provassignZip,values(memzipassignzip) as memzipassignzip by id,source
|eval responseTime=startTime-endTime |eval StartTime=strftime(startTime,"%Y-%m-%d %H:%M:%S,%3N")|eval EndTime=strftime(endTime,"%Y-%m-%d %H:%M:%S,%3N")
|table id,Info,StartTime,EndTime,responseTime,StatusCode,StatusMessage,source,corpEntCd,Costlvlpctl,cptCode,GroupNbr,memZipCode,ProcChrgamt,ProvZipCode,SectionNbr,ServiceDate,TretCatCd,TretCatName,bnftAgrmtNbr,acctNbr,provassignZip,memzipassignzip

could you please help me in this while adding those above code into my search am getting results but responsetime is coming because am loosing the time for outbound message because i nedd to display the transaction starttime endtime in the final result...thanks in advance..

index=ccsp_prd_was source="/usr/WASLogs700/cdhpws_/cdhpws/logs/application.log" "getProcedureDetailBlueChip" OR "getProcedureDetailBlueChipResponse" AND "Inbound Message" OR "Outbound Message" OR "getProcedureDetailBlueChip response time returning procedure details" OR "memZipCode assigned to zipCode" OR "provZipCode assigned to zipCode" OR "bnftAgrmtNbr" | rex "ID:(?.)" |rex "(?Inbound|Outbound)" | eval transfield=if(searchmatch("Outbound Message"),1,0) | accum transfield | transaction transfield by id.....
am using this query in the production ...Their has 1 or 2 requests not properly combined because ,,,for those requests will have first outbound message and afterwards inbound message.......could you please tell me how can i change the query....
thanks in advance....

Any specific reasons why the outbound message came before inbound? My answers rely on the order of inbound and outbound messages and will not work if the order is changed.

I don't Know... Even i have check the timestamp..time stamp is good ...once inbound processed then only outbound message processing ..but in the logs it has written like that..for some of the requests...

sometimes simultaneously 2 requests are processing ...that's why i am getting the at a time 2 Inbound and outbound messages.... like this order
outbound 28773
inbound 28773
outbound 28772
outbound 28771
inbound 28772
inbound 28771

It would be really difficult to differentiate two concurrent simultaneously without a unique identifier. May be check with log source on how you can get that added.

the log source is also same bro..

May be your need to sort the events by timestamp so that order is proper? Try adding | sort 0 -_time before eval transfield.

No for each transaction their is diff of some milliseconds.