Hi,
I want to count the number or errors within two keywords say starttran and endtran.
My log data would be like
starttran
tran Id:1000
error*
abc done
error*
endtran
My query : sourcetype="abc" | eval haserror=if(searchmatch("error"),1,0) | transaction startswith=starttran endswith=endtran mvlist=haserror | table haserror TRANID
O/P
haserror / TRANID
0
0 / 1000
1
0
1
0
But i want it like
haserror / TRANID
2 / 1000
I tried using sum(haserror) by TRANID but din't. Kindly help . Also here can't TRANID be used as unique ID ?
Thanks a lot
... View more