We have data from multiple sources and are capturing the first ten digits of a alphanumeric string as observed in the regex in the below search string.
We are trying to capture transaction timings of when a message is created to when it's completed. Each message type will have different logging from the other, hence the various startswith strings listed below:
index=index sourcetype=logs
| rex "^(?:[^:\n]*:){4}(?P\w+)"
| transaction ObjectID startswith="starting pointone" OR "starting pointtwo" OR "starting pointthree" OR "starting pointfour"
endswith="ending pointone" OR "ending pointtwo"
| table _time ObjectID source host duration
Does anyone know of a way to handle multiple string pairs for both startswith and endswith?
Also, we are using 6.5.
This is a great demonstration case for the general rule - NEVER use transaction
when something else will do. In this case, stats
gets you your answer better, faster, easier.
your search that extracts the records you want for a start or end of a "transaction", with _time ObjectID source and host without worrying which of those records it might be, just any records that are one or the other
| stats min(_time) as StartTime max(_time) as EndTime by ObjectID source host
| eval duration = EndTime-StartTime
This is a great demonstration case for the general rule - NEVER use transaction
when something else will do. In this case, stats
gets you your answer better, faster, easier.
your search that extracts the records you want for a start or end of a "transaction", with _time ObjectID source and host without worrying which of those records it might be, just any records that are one or the other
| stats min(_time) as StartTime max(_time) as EndTime by ObjectID source host
| eval duration = EndTime-StartTime
Thanks DalJeanis. That worked a treat.
make sure to mark your code as code so that the interface doesn't eat anything in angle brackets.