Hi,
Anyone, please help me. I need to find out the time between REQ and ACK by using the (TS:1478717835696) and Data Collection Node (DCN). But am trying to find out by using the transaction command but i haven't get the exact results.
My code is like this and also i need to find out the outcome status.
2016-11-09 12:57:18,855 VendorAdjudicationModule ERROR CorrelationID=2469bae9-fe14-4e67-b345-95d652f4a868 -[DCN xxxxxxxxxxxxxxx-SL:5-TS:1478717835696]: Group=000142003,Section=0001,PlanID=7154,State=TX1,ClaimType=0,VendorName=CVP,InvocationType=REQ
2016-11-09 12:57:18,855 VendorAdjudicationModule ERROR CorrelationID=2469bae9-fe14-4e67-b345-95d652f4a868 -[DCN xxxxxxxxxxxxxxx-SL:5-TS:1478717835796]: Group=000142003,Section=0001,PlanID=7154,State=TX1,ClaimType=0,VendorName=CVP,InvocationType=ACK,Outcome=SUCCESS
2016-11-09 12:57:18,855 VendorAdjudicationModule ERROR CorrelationID=2469bae9-fe14-4e67-b345-95d652f4a868 -[DCN xxxxxxxxxxxxxxx-SL:5-TS:1478717835800]: Group=000142003,Section=0001,PlanID=7154,State=TX1,ClaimType=0,VendorName=CVP,InvocationType=RSP,Segment =100
Anyone, please help me.
Thanks.
If TS and DCN can uniquely identify one session (transaction) then can you try this:
index=yourIndex sourcetype=yourSourcetype "InvocationType=REQ" "InvocationType=ACK"
| rex field=_raw "\-\[(?<dcn>[^\-]+)\-(?<ts>[^\]]+)\]"
| transaction ts, dcn
| table dcn, ts, duration
This assumes all your timestamps are of same format. If they are of different format then probably it will require formatting first and then transaction command.
If TS and DCN can uniquely identify one session (transaction) then can you try this:
index=yourIndex sourcetype=yourSourcetype "InvocationType=REQ" "InvocationType=ACK"
| rex field=_raw "\-\[(?<dcn>[^\-]+)\-(?<ts>[^\]]+)\]"
| transaction ts, dcn
| table dcn, ts, duration
This assumes all your timestamps are of same format. If they are of different format then probably it will require formatting first and then transaction command.
Thanks it works perfectly....