Hi there,
I have an index storing information about network connections which receives information of such connections every five (5) minutes. Each event has an identifier ( id ), which states the connection that the event belongs to. Then, I need to group the events by its id so I can compute traffic differences and other stats per connection.
When I run the command for a single device (by filtering by src prior the transaction command), all connections for the given device are properly extracted. This is the command:
index=xxx event_type=detailed_connections earliest=11/24/2017:13:00:0 latest=11/24/2017:15:00:0 src=/P1zWkJszeaoJTZBVDI8ow
| transaction id mvlist=true keepevicted=true maxspan=-1 maxpause=-1 maxevents=-1
| table src id bytes_in eventcount closed_txn
And these are the results. Let's focus, for instance, in the connection with id = 49529754583063 . We can see that the transaction is composed of 13 events with increasing traffic ( bytes_in ). This is perfectly fine.
However, when running the same command BUT WITHOUT SPECIFYING ANY DEVICE (no src filtering before the transaction command),
index=nexthink event_type=detailed_connections earliest=11/24/2017:13:00:0 latest=11/24/2017:15:00:0
| transaction id mvlist=true keepevicted=true maxspan=-1 maxpause=-1 maxevents=-1
| table src id bytes_in eventcount closed_txn
I realized that some events are not grouped as they should.
Focusing on the same connection as before, I can see several different transactions with the same id , but eventcount equal to 1 (just showing some of them, not all of them).
As a result, I cannot compute trustworthy stats for all devices, and running the same command over and over again device by device is not acceptable.
As you can see, I've removed the limit for maxspan , maxevents , maxpause , and I'm keeping the evicted ones. What am I doing wrong? Is this actually a bug (I don't think so)? How can I get transactions properly grouped when working with thousands of events?
Thanks in advance for the support!
Regards,
Leo
... View more
