We have got a system, whereby an event-pairing occurs only for specific type of messageId
event=1 messageId=100 requestor=human1
event=2 messageId=200 requestor=human2
event=3 messageId=201 requestor=human2
event=4 messageId=300 requestor=human3
event=5 messageId=300 requestor=human4
event=6 messageId=300 requestor=human4
In above example, we need to group the events ONLY if the messageId is 20* (ie in 200's)and based on requestor.
Currently the simple query is:
... | transaction requestor
Looking for output something like.. So event=2 and event=3 will be a single transaction
event=1 messageId=100 requestor=human1
event=2 messageId=200 requestor=human2 event=3 messageId=201 requestor=human2
event=4 messageId=300 requestor=human3
event=5 messageId=300 requestor=human4
event=6 messageId=300 requestor=human4
I'm looking for something
... | transaction requestor where messageId=20*
PS: I don't want to group for messageId=300 even if its same requestor (event 5 & 6)
Ideally looking for transaction to be done only on specific events without needing multiple queries on raw data
Any ideas/tricks to do this?
maybe filter before the transaction
?
index = <your_index> sourcetype = <your_sourcetype> messageId = 20* ... | transaction ....
what is your desired outcome of the search
hi mate, i have put the desired outcome of result in the Question itself..
In your logic it gives ONLY events with 20* for transaction command. So only 20* will be output, but will remove rest of messages
i think i understand now.
the search below is not perfect, as it relays on random
function and maybe occasionally you will hit the random number generated twice with same requestor
but i find it very unlikely. you can also increase the number on that function as high as you see fit
| makeresults count = 1
| eval data = "event=1,messageId=100,requestor=human1;
event=2,messageId=200,requestor=human2;
event=3,messageId=201,requestor=human2;
event=4,messageId=300,requestor=human3;
event=5,messageId=300,requestor=human4;
event=6,messageId=300,requestor=human4"
| makemv delim=";" data
| mvexpand data
| eval _time = now() - random()%100
| eval _raw = data
| extract pairdelim=",", kvdelim="="
| table _time _raw event messageId requestor
| rename COMMENT as "the above generates data below is the solution"
| eval trans_event = if(like(messageId,"20%"),"1",random()%100000000000)
| transaction requestor trans_event
hope you like it
i liked the concept. I will try it in my scenario and let you know. In the meantime, i've upvoted your comment
have you tried keeporphans=true, this should display all other results alongside any groupings?
I tried that, but how to ensure it groups only the 20* messages?