I'm trying to create a search that provides me with the average duration between VALIDATED and ARCHIVED only if it completes all the stages of the report. If a stage fails a FAILED message is written
The issue I currently have is the FAILED message creates a report called other in the chart
VALIDATED
STARTED
FINISHED
STARTED
FINISHED
ARCHIVED
index=myindex | transaction startswith="VALIDATED" endswith="ARCHIVED NOT FAILED" | timechart avg(duration) by Report
Thanks in Advanced
.... | eval is_failed = mvfind(status_type, "FAILED") | where isnull(is_failed) | transaction report startswith="VALIDATED" endswith="ARCHIVED" | table report,duration
Worked! Thanks for your help Kristian
... | transaction report | at the start didn't seem to work for some reason
Thanks for explanation I have updated the search. I did noticed a typo
Thanks for your help!!
Ooh, no... I think that you're not getting correct results.
The point of my earlier suggestion was to do the grouping first (i.e. the transaction), and then remove all transactions where either of the events have a FAILED status.
By removing the FAILED events before creating the transaction, you'll get the wrong results.
Also, the point of the mvfind()
is that it the transaction
creates a multi-valued field of status_type
. Filtering regular fields can be done directly with status_type != FAILED
(though this is not what you want in this case).
Please post som sample events.
Added update, thanks Kristian
updated -------- Captcha won't work on edit!
Thanks for looking at this for me Kristian
fields
event_type= Context,Enrichment,Calculation,Archival
Status_type= Validated,Started,Finished,Archived,Failed
Report= bb_12334_999 (Unique report id)
Stages the report goes through
Event_type= Context Status_type= Validated
Context Validated,
Enrichment Started,
Enrichment Finished,
Calculation Started,
Calculation Finished,
Archival Archived,
The 'Archived not Failed' in the search above was me just trying things to get it to work. I thought having a NOT statement somewhere would stop them being included, but I've tried it in numerous place but can't get it to work.
Maybe I'm misunderstanding this, but is the Report
in each of the events. If so, did you try :
... | transaction Report | eval is_failed = mvfind(Status_type, "FAILED") | where isnull(is_failed)
Please provide some more information;
Will a process where a stage fails move on to have ARCHIVED status? Or will it stop with the FAILED message?
What is "Report"? Some unique ID?
Does the string "ARCHIVED NOT FAILED" exist as such in a single event?
Please provide a few sample events.
/K