Greetings,
Still confused with Splunk.
How do I specify start point to start searching from - for this application I do not start searching from the head of my Log files.
I would like to do something like:
pseudo code:
index=* OR index=_* sourcetype=OneOfManyLogFiles*
earliest = [ search index=_* sourcetype="terminal.log" | return eval StartSearchFrom=strfTime(if(imatch(Info, "^ApplyPayment\(\) - ManagerId.+PaymentId"), _time),"%Y-%m-%d %H:%M:%S.%3N") ]
This does idea not work.... how is this accomplished?
When using streamstats the log file that has the string "ApplyPayment" is not included in the final rendered table.
index=* OR index=_* sourcetype=OneOfManyLogFiles*
| eval Action =case(match(Info, "^ApplyPayment\(\) - ManagerId.+PaymentId"),"StartTran" ,
match(Info, "^Done Merchant Payment"),"EndTran", match(Info, "^Exiting"), "Exiting",
match(Info, ""), "Info", 1=1, Action)
| eval EventTime=strfTime(if(in(Action, "StartTran", "EndTran"), _time,""),"%Y-%m-%d %H:%M:%S.%3N")
| streamstats count(eval(match(Info, "^ApplyPayment\(\) - ManagerId.+PaymentId"))) AS TranCount BY host
| reverse
| stats list(Info) As events BY host TranCount
| table TranCount sourcetype _time EventType action CheckNumber TransactionId PaymentId events
Thanks for any help/ideas on this.
... View more