I have 2 log files from different sources. Both log files have statements either indicating a "Transaction-Start" or "Transaction-End" . "EPOCH" is a field common in both log files indicating the timestamp of either start or end of a transaction.
Now I want to write a query that fetches EPOCH of "Transaction-Start" from log file 1, call it as, say start and EPOCH of "Transaction-End" from log file 2, call it as, say end . Following this, I want to find the difference between end and start and display only those logs with a difference higher than a threshold, say 10000
What I have tried writing is below :
index=someIndex ENVIRONMENT="someEnv" (source="/log/source1.log" "Transaction-Start" "EPOCH" as start) OR (source="/log/source2.log" "Transaction-End" "EPOCH" as end)
| eval difference=end-start
| where difference>10000
But this is not working. Looking for help in composing this search in the right way.
... View more