I'm trying to set up an alert for the time taken for a process, which I was previously calculating using 3 separate searches. I'm looking to combine them into one so I can directly set up an alert.
(1) The background of the process is that every serial number in the sourcetype has a number of segment Ids, starting from 0. While all serial numbers start with segment =0, the largest segment number is different for all devices. So the way I compute largest segment ID is as follows:
sourcetype="algorithmjoblog" serialNumber="NTEST1234B" | stats max(segmentId) as lastSeg
(2) Next, I calculate duration for segmentId=0, processing phase=mapstart (i.e., the segment has started processing) and segmentId=max segment, processing phase=mapEnd (i.e., the segment processing has completed).
sourcetype="algorithmjoblog" serialNumber="NTEST1234B" | transaction startswith=(segmentId=0 processingPhase=mapStart) endswith=(segmentId=165 processingPhase=mapEnd)| table duration
(3) Finally, I calculate the time taken for the final stage of the process, which is integrationStart and integrationEnd, which all serialNumbers go through.
sourcetype="algorithmjoblog" serialNumber="NTEST1234B" | transaction startswith=(phase=integrationStart) endswith=(phase=integrationEnd)| table duration
I'm interested in setting up an alert for the sum of duration of (2) and (3), i.e., segment processing time + integration time, such that I get an alert when the time exceeds a value, say 10 mins. Also, I would like the alert to encompass all serialnumbers in a search, not just one specific serial number at a time.
I have an updated search, but the problem is that it's only using integration times for the first serialNumber, instead of extracting it from every serial number.
Here's what i ran:
sourcetype=algorithmjoblog serialNumber="NTEST*" |eval p_{processingPhase}=_time |stats first(p_*) as * by serialNumber | eval duration1=mapEnd-mapStart | table duration1| join serialNumber[search sourcetype=algorithmjoblog serialNumber="NTEST*" | transaction startswith=(phase=integrationStart) endswith=(phase=integrationEnd) by serialNumber|eval duration2=duration| table duration2]
This is what my table looks like:
duration 1 duration2
123.45 101.45
233.34 101.45
3232.234 101.45
23.23 101.45
234.33 101.45
...where 101.45 is the integration time (duration2) for the first serial number (i.e. with duration 1 as 123.45).
Any inputs on how I could correct my search?
Thank you so much in advance for any help!
... View more