I have a single index which logs incoming request and completed request related details. There is a common indicator i.e. commandId . I want to fetch key parameters from each entry and then merge it ...
See more...
I have a single index which logs incoming request and completed request related details. There is a common indicator i.e. commandId . I want to fetch key parameters from each entry and then merge it into a single table for dashboarding.
Incoming request details (which will not have the keyword : numDCs):
index="log-3258-prod-c" NOT numDCs| | table _time,contextId,user_name,Flow
Completed request details (which will have keyword: numDCs)
index="log-3258-prod-c" numDCs| fields contextId,contextIdUser,numDCs,productCount, clientIP,laas_hostname,flowId
I need table having all columns in both and contextId as merging column
There are chances that incoming request has still not completed i.e. they might still be executing so its values for Completed request columns should be null