Hi
I have a set of logs over which the transaction command is applied for SessionID and some fields are extracted .Below is the sample result.
FileName | StatusCode | |
814xxx
|
Setxxxx.csv |
0
|
0
|
||
0 | ||
814xxx |
xxx.ZIP.asc
|
0
|
xxx.ZIP.asc
|
91
|
|
xxx.ZIP.asc
|
1481
|
|
0
|
||
814xxx
|
0 |
The Status will be FAILURE if any of the StatusCode value for a particular SessionID have non Zero value otherwise Status will be COMPLETED
The expected output is
FileName | StatusCode | StatusCode | |
814xxx
|
Setxxxx.csv |
0
|
COMPLETED |
0
|
|||
0 | |||
814xxx |
xxx.ZIP.asc
|
0
|
FAILURE |
xxx.ZIP.asc
|
91
|
||
xxx.ZIP.asc
|
1481
|
||
0
|
|||
814xxx
|
0 | COMPLETED |
How can i do this?
You can try any of these
Your base search | eval StatusCode=if(StatusCode=0,"COMPLETED","FAILURE") | your transaction command | eval StatusCode=if(mvcount(StatusCode)=2,"FAILURE",StatusCode)
Your search with transaction command | eventstats sum(StatusCode) as AggrStatusCode by SessionID | eval StatusCode=if(AggrStatusCode=0,"COMPLETED","FAILURE")
Could you sum the StatusCode and use an IF statement to identify the FAILURE/COMPLETED ?
i.e.
... | stats sum(StatusCode) by SessionID | eval StatusCode=if(StatusCode==0,"COMPLETED","FAILURE") ...
Pipe the transaction results and use the eval command