My app writes two log statements, audit and activity statement, for each invocation as below:
audit:
type:audit | tid:123 | userid:abc
activity:
type:activity | tid:123 | action:login
Need is to get a sense of what the user has done by displaying the userid and collapsing the action into a table.
What I tried so far is to define a transaction on audit log and collapsed all tid for a given user which displays data as below:
userid | tid
abc | 123
| 345
xyz | 793
| 438
How to show action values from activity instead of tid ?
Try this (assuming all fields have been extracted)
index=webapp host=pxdtp00* (audit* OR activity*) | rex "(?<Action>audit|activity)" | stats values(Action) as Action by UserId TxnId | mvexpand Action
UPDATED to include field extraction
Try the updated query. I modified it to include field extraction.
This query is getting results as wanted.
index=webapp host=host* AND IntegrationFrameworkV01 AND audit* | dedup TxnId | table UserId TxnId | join TxnId [search index=webapp host=host* AND IntegrationFrameworkV01 AND client:* | eval Date_Time = strftime(_time, "%m/%d/%y %H:%M:%S") | stats values(Action) as Action sum(eval(ReqLatency + AppLatency + ResLatency)) as Latency by TxnId HttpCode Date_Time ] | stats list(Action) as Action list(Latency) as Latency list(HttpCode) as HttpCode list(Date_Time) as DateTIme by UserId | table UserId Action DateTIme Latency HttpCode
Job indicates,
'stats' command: limit for values of field 'DP_IF_Action' reached. Some values may have been truncated or ignored.
How to stop truncating results ?
What is your current search statement?
index=webapp host=pxdtp00* AND audit* | transaction UserId | table UserId TxnId | join TxnId [search index=webapp host=pxdtp00* activity* | stats Action by TxnId ] | table UserId Action TxnId
search before join collapses all txnId fields for a given user. Next search is not able to complement action into the mix.