I have a search that monitor's failed PO's.
Essentially the idea is to monitor the overall state of the txn, and whether it fails..so I calc latest(status) as Exit_Status to find the overall status of a transaction.
What happens when the txn fails, though, is we lose valuable customer information from the START log that our support could really use in determining the root cause.
How can I pull the values from the START LOG, but still monitor the overall status of the PO?
Here is my search:
index=contract_gateway sourcetype=esb_audit esb_top_level=1 NOT bp_bp_name="Task" status=*fail bp_bp_name=PO | eval marker=coalesce(bp_context_id, svc_context_id) | stats earliest(_time) as start_time, latest(_time) as end_time, first(svc_context_name) as svc_context_name, first(FromIdentity) as FromIdentity, first(TPCode) as TPCode, first(PONumber) as PONumber, latest(status) as exit_status, first(other) as exit_message by marker | eval duration=end_time-start_time | eval _time=start_time|convert ctime(start_time) ctime(end_time)
The output of the alert typically has blank fields for the PO Number, TPCode, and FromIdentity.
I have been playing around with the search, but I haven't been able to pull those values from the start log of the order in to the alert when monitoring the overall status of FAIL.
Any suggestions would be awesome...thanks in advance!!
Try this
I don't have the status values for start and end log, so please update that accordingly, in line 3.
index=contract_gateway sourcetype=esb_audit esb_top_level=1 NOT bp_bp_name="Task" status=fail* bp_bp_name=PO | eval marker=coalesce(bp_context_id, svc_context_id)
| transaction marker startswith="status=START" endswith="status=ERROR OR status=COMPLETE"
| eval end_time=_time+duration | eval start_time=_time |convert ctime(start_time) ctime(end_time)
|eval exit_status=mvindex(status,0) | eval exit_message=mvindex(other,0)
| table marker start_time end_time svc_context_name FromIdentity TPCode PONumber exit_status exit_message
Thanks for the response. I'm not getting any results back after updating the third line...index=contract_gateway sourcetype=esb_audit esb_top_level=1 NOT bp_bp_name="Task" status=fail* bp_bp_name=PO | eval marker=coalesce(bp_context_id, svc_context_id)
| transaction marker startswith="status=START" endswith="FAIL*"
| eval end_time=_time+duration | eval start_time=_time |convert ctime(start_time) ctime(end_time)
| eval exit_status=mvindex(status,0) | eval exit_message=mvindex(other,0)
| table marker start_time end_time svc_context_name FromIdentity TPCode PONumber exit_status exit_message