I am using the transaction command to group transactions on the field tx_id. Each successful transaction will begin with the field tx_state=FPA and end with tx_state=FUS. Each transaction will have any number of values for tx_state until the transation is completed. Is there a way to track the time it took to go from one event to the next within a transaction based on how long it took to go from tx_state to the next tx_state? Currently my search is as follows.
** host=dtsever01 source=/tmp/messages.log sourcetype=messages tx_id=* | transaction tx_id startswith="FPA" endswith="FUS"
I have found that the following search will produce the time differentials between events, but only if there are exactly these 4 events in a transaction:
host=dtsever01 source=/tmp/messages.log sourcetype=messages tx_id=*
| eval FPA=if(tx_state="FPA",_time,null())
| eval MLS=if(tx_state="MLS",_time,null())
| eval DSS=if(tx_state="DSS",_time,null())
| eval FUS=if(tx_state="FUS",_time,null())
| transaction tx_id startswith="FPA" endswith="FUS"| search credit_bureau
|eval MLS_Completion=MLS-FPA
| eval DSS_Completion=DSS-MLS
| eval FUS_Completion=FUS-DSS
| eval Total_Time=FUS-FPA
| stats avg(MLS_Completion) as MLS_AVG, avg(DSS_Completion) as DSS_AVG, avg(FUS_Completion) as FUS_AVG, avg(Total_Time) as Total_Time by tx_id ""
My goal is to get a timechart that shows the time it took between the tx_state's by tx_id.
... View more