This is a fascinating search. Right off, it extracts the time and job_ID from each line. Then, it assigns an epoch date to each line. Then it evaluates to see if the line it's working on is the correct job ID to start on...except I think at this point it falls down. This search (an extracted part),
index=foo
| rex "^(?<datetime>\d+\s\d+)\s\((?<job_id>\d+)\)"
| eval timestamp = strptime(datetime,"%m%d %H%M%S")
| eval mail_start_time = if(match(_raw, "Log initialized"), timestamp, null())
| eval mail_end_time = if(match(_raw, "EMail Sent Successfully"), timestamp, null())
| table job_id, timestamp, mail_start_time, mail_end_time
Generates this table:
job_id, timestamp, mail_start_time, mail_end_time
1719, 1544130116.000000 , ,
1719, 1544130114.000000
0089, 1544130112.000000
0089, 1544130106.000000
1719, 1544130112.000000
1719, 1544130088.000000
1719, 1544130083.000000
0089, 1544130080.000000, 1544130080.000000, 1544130080.000000
1719, 1544130106.000000
0576, 1544130076.000000
1719, 1544130076.000000
1719, 1544130067.000000
1719, 1544130080.000000
0089, 1544130064.000000
1719, 1544130064.000000
1719, 1544130064.000000
1719, 1544130060.000000
1719, 1544130061.000000
1719, 1544130025.000000
0089, 1544130022.000000
1719, 1544130022.000000
1719, 1544130023.000000
0089, 1544130012.000000
1719, 1544130012.000000
It doesn't appear to be finding this event:
1206 090527 (3185) 3 SparkPostOutConnector: Log initialized
...or this event:
1206 090528 (3185) 3 SparkPostOutConnector: EMail Sent Successfully!! Accepted recipients: 2
...so I don't think it's figuring out the time difference between them.
... View more