Hi everyone,
Recently I faced some issues when I try to do an advance search.
My problem : I need to create table that contains : id | duration
I tried to use different techniques like map and sub-search but it doesn't seem to work.
Thank you very much
Hi @ayela ,
Try this and let me know what's missing
index="c" sourcetype="flox:app" laas_env=dev laas_file="/var/tmp/test/logs/dev.log" ("Source Message Received" OR "sent")
|eval startime=if(searchmatch("Source Message Received"),_time,null())
|eval endtime=if(searchmatch("sent"),_time,null())
|table _time,startime,endtime,userId
|where (startime!="" OR endtime!="")
|stats latest(startime) as start,latest(endtime) as end by userId
|eval time_diff=end-start
|table userId,time_diff
Hi @ayela ,
Try this and let me know what's missing
index="c" sourcetype="flox:app" laas_env=dev laas_file="/var/tmp/test/logs/dev.log" ("Source Message Received" OR "sent")
|eval startime=if(searchmatch("Source Message Received"),_time,null())
|eval endtime=if(searchmatch("sent"),_time,null())
|table _time,startime,endtime,userId
|where (startime!="" OR endtime!="")
|stats latest(startime) as start,latest(endtime) as end by userId
|eval time_diff=end-start
|table userId,time_diff
THANK YOU !!!!
you just misspelled starttime but thank you very much !!
I used my imagination to try to figure out what you want to achieve, so here's a sample of query it may help you:
| makeresults
| eval id="Received", value="115sd65sa25sa", _time=relative_time(_time, "-2min")
| append
[| makeresults
| eval id="Sent", value="115sd65sa25sa"]
| stats list(id) as id,list(_time) as "time" by value
| eval a = mvindex(time, 0)
| eval b = mvindex(time, 1)
| eval diff=b-a
| eval diff = tostring(diff, "duration")
| fields - id, time,a,b
Thank you for responding.
Sorry if it was not clear.
here's an example pf the query I try to do
index="c" sourcetype="flox:app" laas_env=dev laas_file="/var/tmp/test/logs/dev.log" "Source Message Received" "_TEST01*" | xmlkv | table userId, _time
the previous query works it gets all the userId(from the xml) and the initial time
now I want to do something like this :
for each userId
index="c" sourcetype="flox:app" laas_env=dev laas_file="/var/tmp/test/logs/dev.log" "sent" "_TEST01" userId | top limit=1 _time | table userId, ( _time2 - _time)
_time2 is the the time when it was sent
_time is the time we received the id
userId : value of the xml tag
Hi @ayela ,
Do you have sample events for both received and sent?
index="c" sourcetype="flox:app" laas_env=dev laas_file="/var/tmp/test/logs/dev.log" "Source Message Received" "_TEST01*" | xmlkv | table userId, _time
the previous query works it gets all the userId and the initial time
now I want to do something like this :
for each userId
index="c" sourcetype="flox:app" laas_env=dev laas_file="/var/tmp/test/logs/dev.log" "sent" "_TEST01" userId | top limit=1 _time | table userId, ( _time2 - _time)
_time2 is the the time when it was sent
_time is the time we received the id
userId : value of the xml tag