I was trying to filter event ID in subsearch and then use it in the main search to find other events with related ID and compare time from subsearch with last event time from the main search.
The initial line when ID appears is: 2020-04-29 16:14:08,637 backend_7.2.15: INFO services/ConnectionManagerService(backend): \ncreations: 1262172\nupdates: \ncancellations: 1261482-1
one of the problem is that above event ID's can appear after decimal, like below:
2020-04-29 16:14:08,791 backend_7.2.15: INFO services/ConnectionManagerService(backend): \ncreations: 1262174,1262175,1262176\nupdates: \ncancellations: 1261438-1,1261436-1,1261440-1
confirmation line - last:
10.21.160.144.SwitchingCore/openflowConfig! (Config success!). New contributors: Set(book.1262175-1, book.1262174-1, book.1262176-1), removed contributors: Set(book.1261438-1, book.1261440-1, book.1261436-1).
My query:
....... sourcetype=main ConfigurationManagerService
|append [search ................sourcetype=main "ConnectionManagerService(backend)" "\ncreations:"
| multikv noheader=t
| rex "(?:ions: )(?\d{7})"
| where ID != 0
| rename _time as start_time
| table ID start_time]
| stats earliest(start_time), latest(_time) as stop by ID
How to make it more efficient or just working?
Part of the log:
2020-04-29 16:19:13,082 backend_7.2.15: INFO services/ConnectionManagerService(backend): \ncreations: 1262180\nupdates: \ncancellations: 1258780-1
2020-04-29 16:14:10,479 backend_7.2.15: INFO services/ConfigurationManagerService(backend): Successfully applied config for 1.......SwitchingCore/rpfPortConfig! (Config success!). New contributors: Set(book.1262174-1, book.1262176-1), removed contributors: Set().
2020-04-29 16:14:09,498 backend_7.2.15: INFO services/ConfigurationManagerService(backend): Successfully applied config for 1....70000/igmpPortConfig! (Config success!). New contributors: Set(book.1262174-1, book.1262176-1), removed contributors: Set().
2020-04-29 16:14:09,442 backend_7.2.15: INFO services/ConfigurationManagerService(backend): Successfully applied config for 1.....10002/igmpPortConfig! (Config success!). New contributors: Set(book.1262176-1), removed contributors: Set().
2020-04-29 16:14:09,438 backend_7.2.15: INFO services/ConfigurationManagerService(backend): Successfully applied config for 1......70000/igmpPortConfig! (Config success!). New contributors: Set(book.1262175-1), removed contributors: Set().
2020-04-29 16:14:09,388 backend_7.2.15: INFO services/ConfigurationManagerService(backend): Successfully applied config for 1.......SwitchingCore/openflowConfig! (Config success!). New contributors: Set(book.1262175-1, book.1262174-1, book.1262176-1), removed contributors: Set(book.1261438-1, book.1261440-1, book.1261436-1).
2020-04-29 16:14:09,314 backend_7.2.15: INFO services/ConfigurationManagerService(backend): ControlledVertexFSM@1.........70000/igmpPortConfig: New config retrieved by Root state with delay None, new contributors: Set(book.1262174-1, book.1262176-1), removed contributors: Set()
2020-04-29 16:14:09,313 backend_7.2.15: INFO services/ConfigurationManagerService(backend): ControlledVertexFSM@1......70000/igmpPortConfig: New config retrieved by Root state with delay None, new contributors: Set(book.1262175-1), removed contributors: Set()
2020-04-29 16:14:09,313 backend_7.2.15: INFO services/ConfigurationManagerService(backend): ControlledVertexFSM@1......SwitchingCore/rpfPortConfig: New config retrieved by Root state with delay None, new contributors: Set(book.1262176-1), removed contributors: Set()
2020-04-29 16:14:09,308 backend_7.2.15: INFO services/ConfigurationManagerService(backend): ControlledVertexFSM@1..........SwitchingCore/rpfPortConfig: New config retrieved by Root state with delay None, new contributors: Set(book.1262174-1, book.1262176-1), removed contributors: Set()
2020-04-29 16:14:09,306 backend_7.2.15: INFO services/ConfigurationManagerService(backend): ControlledVertexFSM@1.........SwitchingCore/openflowConfig: New config retrieved by Root state with delay None, new contributors: Set(book.1262175-1, book.1262174-1, book.1262176-1), removed contributors: Set(book.1261438-1, book.1261440-1, book.1261436-1)
2020-04-29 16:14:09,305 backend_7.2.15: INFO services/ConfigurationManagerService(backend): ControlledVertexFSM@1........SwitchingCore/rpfPortConfig: New config retrieved by Root state with delay None, new contributors: Set(book.1262175-1), removed contributors: Set()
2020-04-29 16:14:09,303 backend_7.2.15: INFO services/ConfigurationManagerService(backend): ControlledVertexFSM@1.......10002/igmpPortConfig: New config retrieved by Root state with delay None, new contributors: Set(book.1262176-1), removed contributors: Set()
2020-04-29 16:14:09,302 backend_7.2.15: INFO services/ConfigurationManagerService(backend): ControlledVertexFSM@1........SwitchingCore/openflowConfig: New config retrieved by Root state with delay None, new contributors: Set(book.1262175-1, book.1262174-1), removed contributors: Set()
2020-04-29 16:14:09,300 backend_7.2.15: INFO services/ConfigurationManagerService(backend): ControlledVertexFSM@1........SwitchingCore/openflowConfig: New config retrieved by Root state with delay None, new contributors: Set(book.1262176-1), removed contributors: Set()
2020-04-29 16:14:08,914 backend_7.2.15: INFO services/ConfigurationManagerService(backend): Successfully applied config for 1........SwitchingCore/openflowConfig! (Config success!). New contributors: Set(book.1262172-1), removed contributors: Set(book.1261482-1).
2020-04-29 16:14:08,837 backend_7.2.15: INFO services/ConfigurationManagerService(backend): ControlledVertexFSM@1.......SwitchingCore/openflowConfig: New config retrieved by Root state with delay None, new contributors: Set(book.1262172-1), removed contributors: Set(book.1261482-1)
2020-04-29 16:14:08,836 backend_7.2.15: INFO services/ConfigurationManagerService(backend): ControlledVertexFSM@1........SwitchingCore/openflowConfig: New config retrieved by Root state with delay None, new contributors: Set(book.1262172-1), removed contributors: Set(book.1261482-1)
2020-04-29 16:14:08,835 backend_7.2.15: INFO services/ConfigurationManagerService(backend): ControlledVertexFSM@1.......70000/igmpPortConfig: New config retrieved by Root state with delay None, new contributors: Set(book.1262172-1), removed contributors: Set(book.1261482-1)
2020-04-29 16:14:08,835 backend_7.2.15: INFO services/ConfigurationManagerService(backend): ControlledVertexFSM@1........SwitchingCore/rpfPortConfig: New config retrieved by Root state with delay None, new contributors: Set(book.1262172-1), removed contributors: Set(book.1261482-1)
2020-04-29 16:14:08,791 backend_7.2.15: INFO services/ConnectionManagerService(backend): \ncreations: 1262174,1262175,1262176\nupdates: \ncancellations: 1261438-1,1261436-1,1261440-1
2020-04-29 16:14:08,637 backend_7.2.15: INFO services/ConnectionManagerService(backend): \ncreations: 1262172\nupdates: \ncancellations: 1261482-1
... View more