Hi,
I have come across a situation where I have to compare a set of values for a field with one value for another field (Both represent time), and display Yes/No as values for a new field.
Search one should give me a field "Latest_Time" with only one value and it should be compared with other field "Gen_Time" in other search and create a new field "Checked" with possible values "Yes/No" if the "Latest_Time" is less than "Gen_Time" the value for "Checked" is "Yes" else "No".
Please help.
Okay... something like this?
index=foo sourcetype=bar (Error_Message=* OR Success_Message=*) | eval message_type = if(isnotnull(Error_Message), "error", "success") | eval dummy = "dummy" | chart latest(_time) over dummy by message_type | eval checked = if(success > error, "Yes", "No") | fields checked
Okay... something like this?
index=foo sourcetype=bar (Error_Message=* OR Success_Message=*) | eval message_type = if(isnotnull(Error_Message), "error", "success") | eval dummy = "dummy" | chart latest(_time) over dummy by message_type | eval checked = if(success > error, "Yes", "No") | fields checked
It was really helpful.
2014-04-21 06:39:38 Message="Error Server connection failed on 8346 port.
2014-04-21 06:41:59 Port opened, connection successful
2014-04-21 07:22:34 Message="Error Server connection failed on 8346 port.
2014-04-21 07:25:32 Port opened, connection successful.
I have two types of events, I have rexed and extracted the fields, Error_Message & Success_Message. So now i have to find the latest time where "Port opened, connection successful" and check with the all the Error_messages.
If latest success message is after error message, action taken is "Yes".
Table Time, Error_Message action_taken
Do post some sample events.