Hi,
I'm trying to show the concurrent number of 2 operations(eg, data 'export', and data 'import') on a server in a time chart .
Here is my log looks like:
2018-05-08T06:02:31 id=1 type=chunk_data
2018-05-08T06:02:32 id=1 type=export_chunk
2018-05-08T06:02:32 id=2 type=import_data
2018-05-08T06:02:32 id=1 type=export_chunk
2018-05-08T06:02:33 id=1 type=export_chunk
2018-05-08T06:02:33 id=1 type=export_chunk
2018-05-08T06:02:33 id=2 type=post_import
2018-05-08T06:02:34 id=2 type=post_import_cleanup
The export operation include the following 2 stages:
chunking data first, which defined by type=chunk_data in the log
then export chunked data concurrently, which specified by multiple log events with type=export_chunk
The import operation include the following stages:
import data, with type=import_data in the log
post import, with type=post_import in the log
clean up, with type=post_import_cleanup in the log
So the expected output in the following search ranges:
if from 2018-05-08T06:02:31 -- 2018-05-08T06:02:34 , 1 export and 1 import
if from 2018-05-08T06:02:32 -- 2018-05-08T06:02:34 , 1 export and 1 import. in this case, we don't have type=chunk_data within the search range, but still should consider there was 1 export operation
if from 2018-05-08T06:02:32 -- 2018-05-08T06:02:33 , 1 export and 1 import. In this case, we don't have type=post_import_cleanup in the search range, but still should consider 1 ongoing import.
I'm new to Splunk and trying to use transaction command, but having trouble to figure out the query.
Any input would be highly appreciated!
... View more