Below is my sample event-
29-09-2019 8:00:00 Pullout longitude latitude
29-09-2019 8:02:10 loss longitude latitude
29-09-2019 8:02:55 restore longitude latitude
29-09-2019 8:09:00 loss longitude latitude
29-09-2019 8:12:10 restore longitude latitude
29-09-2019 8:54:10 PullIn longitude latitude
29-09-2019 9:02:10 loss longitude latitude
29-09-2019 9:02:55 restore longitude latitude
29-09-2019 9:09:00 loss longitude latitude
29-09-2019 8:12:10 restore longitude latitude
29-09-2019 9:00:00 Pullout longitude latitude
...
Here I want to group startswith="pullout" to endswith="pullIn" but only take loss events where loss and restoration time is more than 1 min and exclude less than 1 min and plot loss on map using latitude and longitude.
any help will be appreciated. I tried transaction command but unable to succeed
thanks.
Hi ips_mandar
Can you provide more inputs on this? The way I see it, it goes along the lines of
i.e in the sample data, Should (8:02:55 - 8:02:10) 45 seconds be a separate event or accumulate losses within a transaction?
29-09-2019 8:00:00 Pullout longitude latitude
29-09-2019 8:02:10 loss longitude latitude
29-09-2019 8:02:55 restore longitude latitude
29-09-2019 8:09:00 loss longitude latitude
29-09-2019 8:12:10 restore longitude latitude
29-09-2019 8:54:10 PullIn longitude latitude
Depending on the definition, the approach will change. It almost seems like a transaction within a transaction. Check out these links if that's what you are trying to achieve.
https://answers.splunk.com/answers/30980/nested-transactions.html
https://www.splunk.com/blog/2011/01/11/maintaining-state-of-the-union.html
@vik_splunk you understand correctly I want transaction within transaction.
In above sample data I am more concern about (8:09:00 - 8:12:10) i.e. loss happening for more than 1 min. and I don't want 45 sec (8:02:55 - 8:02:10).
I wanted the loss happening for more than 1 min and neglect which are less than 1 min and then plot loss on map. How can I achieve this?
I did checked these link but unable to understand..can you please explain in my case how can I achieve it?
Thanks,
Hi ips_mandar
try something like this:
| your_search
| transaction source startswith="loss" endswith="restore"
| where duration>60
| table duration latitude longitude
Bye.
Giuseppe
Thanks but As I mentioned I want events falling between "PullOut" to "PullIn" only and I want to plot loss only on map.
Please explain "loss and restoration time". Also, what SPL have you tried already?
loss and restoration time defines GPS unit lost connection and restored connection.
I tried ...|transaction source startswith="Pullout" endswith="PullIn"