Search under same field value

enpingtu · ‎03-02-2021

We have below log event rows -

correlationKey=abc msg="create cache for 123"
correlationKey=abc "read cache for 123"
correlationKey=mno "create cache for 456"
correlationKey=mno "read cache for 456"
correlationKey=xyz "read cache for 123"

From the data, we may notice that correlationKey abc/mno have both create/read. But for correlationKey xyz, it does not have "create cache" log, but "read cache" only.

We need to find all correlationKey values w/o log entry "create cache for". (abc/mno do not qualify. Only xyz qualify.)

Appreciate your great help!

- ET

ITWhisperer · ‎03-02-2021

| eval created=if(match(msg,"create cache"),"true",null)
| stats values(created) as created by correlationKey
| where NOT created="true"

enpingtu · ‎03-02-2021

Appreciate!

gcusello · ‎03-02-2021

Hi @enpingtu,

You could try something like this:

your_search
| eval qualify=case(searchmatch("create cache for"),"Create", searchmatch("read cache for"),"Read"
| stats dc(qualify) AS dc_qualify values(qualify) AS qualify BY correlationKey
| eval status=if(dc_qualify=2,"Qualify","Do not Qualify")
| table correlationKey status

Ciao.

Giuseppe

Search under same field value

eval

field extraction

subsearch

Modern way of developing distributed application using OTel

Enterprise Security Content Update (ESCU) | New Releases

Archived Metrics Now Available for APAC and EMEA realms