The events look like this:
DATE=2015-01-19;TIME=10:34:20;STATUS=INFO;ID=57689;JOB=;ACTION=updateCounter;REASON=NotDigital
DATE=2015-01-19;TIME=10:34:20;STATUS=INFO;ID=30689;JOB=;ACTION=updateCounter;REASON=NotDigital
DATE=2015-01-19;TIME=10:34:20;STATUS=INFO;ID=57689;JOB=;ACTION=updateCounter;REASON=Digital
DATE=2015-01-19;TIME=10:34:20;STATUS=INFO;ID=30689;JOB=;ACTION=updateCounter;REASON=Digital
I do group them in a transaction (transaction ID, REASON).
It does happen that the ORDER gets deleted by the application owner. Then I do have the following event:
DATE=2015-01-09;TIME=14:04:30;STATUS=INFO; JOB=HousekeepingTask;ACTION=deleteFromFileSystem;REASON=Order 30689 removed from file system by user example
search looks like
search Index=applicationX sourcetype=application | transaction ID, REASON maxspan=350000s | chart stuff ...
I know I could remove them from the results with NOT ID=XXXYYY
, but I need to remove them as soon the orders are removed by the Application.
Thank you very much for any suggestion.
Perhaps something like this?
search index=applicationX sourcetype=application | transaction ID maxspan=350000s | where NOT like(REASON,"% removed %") | chart stuff ...
I removed REASON from the transaction command so all events with the same ID will be in the same transaction. Then the where
command should eliminate transactions with "remove" in the REASON field.
Perhaps something like this?
search index=applicationX sourcetype=application | transaction ID maxspan=350000s | where NOT like(REASON,"% removed %") | chart stuff ...
I removed REASON from the transaction command so all events with the same ID will be in the same transaction. Then the where
command should eliminate transactions with "remove" in the REASON field.
Well yes, indeed this will work, need to add a transaction with REASON at the end.:
search index=applicationX sourcetype=application | transaction ID maxspan=350000s | where NOT like(REASON,"% removed %") | transaction REASON | chart stuff ...
It can happen that I do have have smth like 250000 event's, this will may slow the report down. I will give it a tray to accelerate the search.
Otherwise, I will summarize, then create the report on the summary index.
Thank you richgalloway.
Thank you. This won't work because you example removes only the event (or transaction) with removed in it.
As you can see, the REASON field has different value. I tried that.
The search needs to somehow get the ID from in the remove-event in a variable and then NOT ID like...
Sorry if my explanation is misleading.
According to the manual, the where command should remove the entire transaction.
The key is making sure all events with the same ID are the same transaction. That is why I use only the ID field in the transaction command.