I have the following query index="main"
| rex field=_raw "node '(?<Falling_Node>[^']*)"
| eval Rising_Node=case(<.....>)
| sort +_time
| filldown Rising_Node Falling_Node
| where (host==Rising_Node OR host==Falling_Node)
| sort -_time
| transaction startswith="<start event>" endswith="<end event>" Where I look at all events and then use rex and eval to evaluate the necessary rising and falling nodes of each transaction. Then I sort +_time so that I can filldown those fields to all the events, then use | where to filter out any events that aren't coming from either the rising or falling nodes, and then finally sort-_time so that I can form the transaction. This works perfectly for all transactions where the start and end events are coming from hosts that are the Rising_Node or the Falling_Node. However, some of my events that I want to turn into transactions aren't like this. They have the same necessary start and end events, but those start and end events are NOT on the Rising_Node or the Falling_Node. Therefore, my query does not work because it the " | where (host==Rising_Node OR host==Falling_Node)" always filters out those start and end events so the transaction cannot occur. Does anyone have a workaround for these peculiar events where the start and end events are not on the rising or falling nodes? Here is what the scambled data looks like for some of the transactions that have start events that are not on the rising or falling nodes: 2020/08/11 11:40:18.473, NOT_RISING/FALLING_NODE , Requested Falling node 'Falling_Node' by user '....'" (Start Event)
2020/08/11 11:40:44.512, Falling_Node, , <....information....>
2020/08/11 11:40:45.512, Rising_Node, , <....information....>
2020/08/11 11:40:49.512, NOT_RISING/FALLING_NODE, , <....information....>
2020/08/11 11:40:49.889, NOT_RISING/FALLING_NODE, , <....information....>
2020/08/11 11:40:50.512, Rising_Node, , <....information....>
2020/08/11 11:40:51.512, Rising_Node, , <....information....>
2020/08/11 11:40:55.889, NOT_RISING/FALLING_NODE, , <....information....>
2020/08/11 11:40:59.512, Rising_Node, , <....information....>
2020/08/11 11:40:59.889, NOT_RISING/FALLING_NODE, , <....information....>
2020/08/11 11:41:13.915, NOT_RISING/FALLING_NODE, Completed Transaction (End Event) This is a sample of events in which my query doesn't work correctly because the Start and End Events are NOT the Rising or Falling Node. However, I want to filter out all the NOT_RISING/FALLING_NODE events within the transaction.
... View more