I have data that looks like this:
2017-01-17 22:18:18.330 Info: [Event:id=API_Metrics] [===== STARTING /individual/preferences/v1.5, RAND=9296226956377273381, TS=14847130983159950
2017-01-17 22:18:18.330 Info: [Event:id=API_Metrics] [===== PARAMS FOR /individual/preferences/v1.5, RAND=9296226956377273381, TS=14847130983159950
2017-01-17 22:18:18.330 Info: policyNumber=####
2017-01-17 22:18:18.330 Info: dob=#####
2017-01-17 22:18:18.330 Info: fname=FFFFFFF
2017-01-17 22:18:18.330 Info: subscriberId=######
2017-01-17 22:18:18.330 Info: lname=LLLLL
2017-01-17 22:18:18.330 Info: =====]
****events that contain none of the above keys or information, just other text****
2017-01-17 22:18:23.092 Info: [Event:id=API_Metrics] [===== ENDING /individual/preferences/v1.5, RAND=9296226956377273381, TS=14847130983159950, TIME=PT4.762855S, CODE=200
The beginning and end of the transaction are clearly defined, but the events that come after PARAMS and before ENDING do not contain the values for usable grouping keys, like RAND or TS.
How can I write a search that will return the whole group from start to end? I tried this:
index="marklogic_datafabric" event_id=* | transaction event_id startswith=position=STARTING endswith=position=ENDING
...but it only returns the lines that have a "position" field, but not those that are in between.
2017-01-19 12:14:11.030 Info: [Event:id=API_Metrics] [===== STARTING /individuals/touchpoint/v1.0/search, RAND=2104724838533797466, TS=14848496416750860
2017-01-19 12:14:11.030 Info: [Event:id=API_Metrics] [===== PARAMS FOR /individuals/touchpoint/v1.0/search, RAND=2104724838533797466, TS=14848496416750860
2017-01-19 12:14:11.250 Info: [Event:id=API_Metrics] [===== ENDING /individuals/touchpoint/v1.0/search, RAND=2104724838533797466, TS=14848496416750860, TIME=PT0.220528S, CODE=200
Also, the time stamps are not all the same, so I unfortunately cannot work with that.
Suggestions, please!
... View more