I have this scenario:
log 1: contains -
message: "app started"
_time: 1234
log 2:
message: "ended"
_time: 1235
rex to extract app from log1 and name it app|eval start_time=strftime(_time, "%d-%m-%Y %H:%M:%S") | rex to extract ended from log2 and name it app1|eval end_time=strftime(_time, "%d-%m-%Y %H:%M:%S")| stats values(app) AS app values(app1) as app1 values(start_time) values(endtime) by _time
So when I extracted value of message and time in both logs, I end up in a situation with something like:
app app1 start_time end_time
A 1234 1234
A 1235 1235
What I am looking for this:
app app1 start_time end_time
A A 1234 1235
The first occurence of A in app field will be the start details and the first occurence of A in app1 will have the end_time and both should be on the same row. After that, go to the next row and repeat for other occurence of A or what ever is in app field and app1 field in the same way.
I would like your help on this.
Thanks
So I ended up using using transaction command before using the streamstats. However, I ended up with this table format.
app app1 start_time end_time
A. A. 1234 1234
B. B. 1238. 1253
C. C. 1345. 1345
So now I need to check if both start_time and end_time have the same values and if yes, remove it in the final table. Seems that's the final step for me.
Thanks
... | where start_time != end_time
You can use the coalesce
function to combine the app and app1 fields.
rex to extract app from log1 and name it app
|eval start_time=strftime(_time, "%d-%m-%Y %H:%M:%S")
| rex to extract ended from log2 and name it app1
|eval end_time=strftime(_time, "%d-%m-%Y %H:%M:%S")
| eval app=coalesce(app, app1)
| stats values(app) AS app values(start_time) values(endtime) by _time
Hello @richgalloway, can you check my comment above? Thank you in advance