Hi,
I have a log file with 3 columns, timestamp, processID and state. When the process starts or ends, a row is inserted into the log file. What's the best search string to find out all jobs in start state?
Thanks in advance!
time PID State
9:22 1000 start
9:23 2000 start
9:24 3000 start
9:25 4000 start
9:26 5000 start
9:37 2000 end
9:38 4000 end
9:39 6000 start
9:40 7000 start
9:41 5000 end
I don't think a subsearch would be of any use in your scenario. Rather I'd advise you to use transaction
or stats
. Both can be used to group events by PID and then show you the groups that have a start event but no end event.
Using stats
, it would be something like:
... | stats count,values(State) by PID | where count<2
And similarly, using transaction
:
... | transaction PID | search eventcount<2
I don't think a subsearch would be of any use in your scenario. Rather I'd advise you to use transaction
or stats
. Both can be used to group events by PID and then show you the groups that have a start event but no end event.
Using stats
, it would be something like:
... | stats count,values(State) by PID | where count<2
And similarly, using transaction
:
... | transaction PID | search eventcount<2
That's execellent. Thank you very much!
Sure - the transaction
command always produces two fields, eventcount
and duration
. We already used eventcount
for the answer to your first question, and you could use duration
for your second - it simply holds the duration, in seconds, of each transaction.
I like the solution using transaction. Is there a way to find out the total traction time?
E.g. the PID 2000 took 14 minutes using the above sample log.
This will be very useful.
Thank you!