I have a log file as below:
** Time Event_Type Event_Name**
-------------------------------------------------------------
time1 Event Event1
time2 Event Event2
time3 Event Event3
time4 DBError SQLErrCode1
time5 DBError SQLErrCode2
time6 Event Event4
time7 Event Event5
time8 DBError SQLErrCode3
....
In the above logs, each DBError is caused by the Event just before that DBError
Requirement is I need a result as below:
time4 DBError SQLErrCode1 Event3
time5 DBError SQLErrCode2 Event3
time8 DBError SQLErrCode3 Event5
Appreciate your help ...
Give this a try
your current search giving columns Time, Event_Type, Event_Name
| streamstats current=f window=1 values(Event_Name) as prev_EventName
| where Event_Type="DBError"
| filldown prev_EventName
OR (in case above doesn't work due to event ordering)
your current search giving columns Time, Event_Type, Event_Name
| reverse | streamstats current=f window=1 values(Event_Name) as prev_EventName
| where Event_Type="DBError"
| filldown prev_EventName
Thanks for the response..
Well, my question is partially answered here.
From the above solutions, I am getting the results for time5 as
time5 DBError SQLErrCode2 SQLErrCode1
whereas I am expecting
time5 DBError SQLErrCode2 Event3
For time4 and time8, its coming as expected
(Edited the dataset lil bit for getting it more clear)
I would like to know whether we can add conditions to streamstats?