I run a search to find all events relating to a particular transaction number i.e.
index=myindex searchstring | transaction TX_ID | stats avg(duration)
from which I look for an event like the following:
07/22/2019-21:02:12.159 - taskPool-2 - DEBUG [com.batchRequest : Line 374]: UID: xxxxxxxxxxxx4078558 (this is the TX_ID) - Found in manifest file appeal number: 1-28000xxxxx for transaction ID: xxxxxxxx5175 (this is the EFT_ID) and function : Close
I need to take the value of EFT_ID and run a new search looking for all transactions with that particular value in the TX_ID field. I've tried several variations but I'm just not getting it to work. Any ideas on how to accomplish this?
HI sheloaha,
transaction command isn't a very performant command, you should try something different like stats command:
index=myindex searchstring
| stats earliest(_time) AS earliest latest(_time) AS latest values(EFT_ID) AS EFT_ID count BY TX_ID
| eval duration=avg(latest-earliest)
In this way you have the same fields of the transaction (if you need other fields add them to the stats command using values) but in very less time.
If you want to use this search as a subsearch of another main search, remember to check the number of results you have, because there's the limit of 50,000 results in subsearches.
Bye.
Giuseppe
I have hundreds of transactions happening so I need to be able to group the events by TX_ID. Running the search as above does not give me the duration of each full transaction. My base search is essentially:
index=myindex host=myhost sourcetype=sourcetype1 OR sourcetype=sourcetype2 source=log1 OR source=log2
When I find a transaction that has the event giving an EFT_ID number I need to run a new transaction search using that value as the TX_ID.
The overall goal is to get an end-to-end duration of a transaction. The first search I run gives the duration of the SOAP call. The next part I need is the duration of the associated EFT transaction, which has a different transaction number of the SOAP part. I'm trying to pull the EFT_ID out and use that value to run my original search again but with the new transaction number.
So you want to search all transactions where TX_ID is EFT_ID you chose/provide?? Are you going to run this for single EFT_ID (provided via dropdown/textbox/manual input to the search) OR all EFT_ID matching some criteria?
did you try this?
index=myindex searchstring | transaction TX_ID EFT_ID | stats avg(duration)
This only separates the line with the EFT_ID into a separate transaction and does not pull any additional events with that number.