After the transaction command, I got a set of events as one event. Now I want to filter the logs from this transaction result.
Let's say my transaction result has 10 lines as Line 1 to Line 10.
Now I want only lines from line 3 to line 8.
How can I do this??
Please help... Asap..
First, get rid of transaction
by manufacturing a sessoinID
like this:
search... | reverse | streamstats current=t count(eval(searchmatch("start"))) AS sessionID | stats list(_raw) by sessionID
Now that you have a sessionID
field for every event, you have more control and can do something like this:
search... | reverse | streamstats current=t count(eval(searchmatch("Start"))) AS sessionID | streamstats current=t count(eval(searchmatch("DEBUG - PQR" OR "DEBUG - XYZ"))) AS subsessionID by sessionID | search subsessionID="1" NOT Start | stats list(_raw) by sessionID
Maybe use mvindex?
| eval NewField=mvindex(_raw, 3, 8)
Seems like the _raw field isn't a multi value field after a transaction. It does however work for other fields. Maybe extract the useful info from the logs before transactioning?
You could use regular expression to extract the relevant info from the _raw field. That might, however, be a tedious job if there are a lot of exceptions; you might have to write several ones. This should work for your example:
| rex "PQR\s(?<RelevantLogStuff>.+)\s2015.+XYZ"
the filtering is not based on line numbers. its based on some keywords, lets say "ReStart" to "Close", need the logs which are in between these keywords..and the line numbers are not fixed too..
The filter (from row 3 to row 😎 is fixed OR it's depend on the some value in the actual data?
Its not fixed.. it depends on the keyword i use.. and depends on the requirement...
See if something like this would work for you.
search... | eval RawLines=_raw|transaction startswith:"start" endswith:"end" | eval RawLines=mvfilter(NOT match(RawLines,"Start") AND NOT match(RawLines,"End"))
The field _raw though seems like an multivalued field in events tab, but its actually not, So I created another field which will hold the raw data lines and filter is applied on that field.
An example please?
Query:
search...|transaction startswith:"start" endswith:"end"
And i got the event as below,
2015/10/17 06:32:43,872 EDT - DEBUG - Start
2015/10/17 06:32:43,872 EDT - DEBUG - PQR
2015/10/17 06:32:43,872 EDT - DEBUG - ABC
2015/10/17 06:32:43,872 EDT - DEBUG - ABC
2015/10/17 06:32:43,872 EDT - DEBUG - ABC
2015/10/17 06:32:43,872 EDT - DEBUG - ABC
2015/10/17 06:32:43,872 EDT - DEBUG - XYZ
2015/10/17 06:32:43,872 EDT - DEBUG - End
now i need the only logs from DEBUG - PQR to DEBUG - XYZ
Please help...