Hi..
I need a requirement like this .for every transcation in my logs i have a uniqueid .i.e for both request and response transformation .
say request event will be some thing like this.
2012-12-23:10:50:33 unique-id =100 OrderId=34 Request Order #############
....
.
..
response event will be some thing like this
2012-12-23:12:50:33 unique-id =100 OrderId=34 Order Acknowledged #############
....
.
..
So Now My requiremnent , for a particular period selected by the user , i need to know which all are the order requests came and processed with more then 2 hrs time .So for example if the user selects 3pm - 4pm , i need to know how many orders processed i.e nothing but how many orderIds are there which are processed with the processing time of more then 2 hrs.I need this list to shown as the ouput of the form ??
As of now , i have wrote two queries to find the orders which are taking more then 2 hrs.
Query 1 :
ran for the period 3pm - 4pm
sourcetype="orderdata" | dedup OrderId | table OrderId | ouputlookup OrderId.csv
This query is giving me the list of orders in tat time.
Now to check each order whether it is processed more then 2 hrs . i have written one more search..
ran for alltime or period more then above one.
sourcetype="orderdata" ("Request Order" OR "Order Acknowleged" ) | stats earliest(_time) as earliest latest(_time) as latest | eval duration=latest-earliest | where duration > 7200 | dedup OrderId | table OrderId
Which is giving me the list of Orders that are processed more then 2 hrs...
Now please help how can i put them in a search form ?? or is there any better way to refine my search as single query ?? Please help..
Going by your requirement, I assume you want to see transactions started in a particular time frame that took longer than a certain duration with the end potentially outside the selected time frame?
Here's a thought, untested and in pseudosplunk:
sourcetype, host, and whatever (eventtype=req OR eventtype=ack) | transaction unique-id | where duration > two hours | where start time is in your time frame
The start time is in the combined event for the transaction, you can do comparisons on that in the final where using regular compare operators. For example, if you wanted to look at events starting today from midnight to 4am you'd do something like this:
... | where _time >= relative_time(now(), "@d") AND _time <= relative_time(now(), "@d4h")
in the above query can you pls tell how can i give longer time ..i.e where start time condition..can you pls give the exact query..