I have the following three different types of logs coming into a single source-type
<189>Jul 06 15:38:54|100.888.94.888|sport=64920|sid=11635419210657705766|XX.XX.XX.XX|80|rt=9
<190>Jul 06 15:38:54|10.39.192.90|100.888.94.888|sport=64920|sid=11635419210657705766|Mozilla/5.0 (Windows NT 5.1; rv:30.0) Gecko/20100101 Firefox/30.0||SWEBS=1&SWECmd=InvokeMethod&SWEService=Message+Bar&SWEMethod=UpdatePrefMsg&SWEIPS=%400%600%601%600%60%603%60%60SWEBS%601%60&SWERPC=1&SRN=clPdw5go7eScsXlZ5zpUAlw4LuUxc1dUg1JRlUYnw8gb&SWEC=30&SWETS=1404625134263
<132>Jul 6 15:38:54 lbs241-mgt.com.au ASM:2014-07-06 15:38:54|THISISUSERNAME|ssid=c93ffac13b7f4368|sport=64920|sid=11635419210657705766|100.888.94.888|10.39.192.90|POST|/ppopenui/start.swe<SWECmd=InvokeMethod>|200|alerted
a) How do i relate using the "sid" :- for example for SWEService="Message*" the response time is in the line starting with "<189>" in the field "rt=" and the User who invoked this is in the line starting with "<132>" where i have put "THISISUSERNAME"(note there is no field name for username.)
Note:- All the three lines have constant formatting i.e. its a pipe delimited log file with specific values in each fields.
Also "<180>" , "<190>","<132>" are constant values that distinguishes the three type of logs.
What i am trying to do is to find the Avg response time(i.e. rt) plus another report of which user has viewed with SWEService
Appreciate help.
REgards Irfan
... View more