I'm looking at events and I'm trying to determine which files are not "deleted" from the folder on a server after files have been 'uploaded'. If the file is deleted it means it has been successfully transferred. I'm able to use the 'transaction' command to determine the duration of a successful file transfer, however, I'm not able to figure out which files are stuck in the folder since the 'delete' event did not occur for some files. Help would be appreciated.
This is what i have so far, but needs fixing to determine which files are "stuck"...I think a join might be needed?
index=main* ("Found new file" OR "Deleted file")
| rex field=_raw "Found new file .*\\\\(?P<files>.*)\"}"
| rex field=_raw "Deleted file (?P<files>.*)\"}"
| transaction user files keepevicted=t mvlist=true startswith="Found new file" endswith="Deleted file"
| table user files duration _raw
| sort _time desc
| where duration=0
... View more
