Hi,
I have events like following (in the sequence of occurrence)-
{"TransactionId":"570978b406264e398d888cd8b49f867d","ParentId":"","RequestId":"24529c4700e942e1ba036f87b0d6080e","Customer":"86c62bf7f6ee4a1ab004e7e33ad9068a","Action":"ExecuteWCFTask/TestRun","Start":"2018-02-05T08:08:42.4689427+00:00","End":"2018-02-05T08:08:42.9378465+00:00","RequestType":3}
{"TransactionId":"570978b406264e398d888cd8b49f867d","ParentId":"24529c4700e942e1ba036f87b0d6080e","RequestId":"c0114983065a45fb83efa433f093ce06","Customer":"86c62bf7f6ee4a1ab004e7e33ad9068a","Action":"ExecuteWCFTaskService/StartTask","Start":"2018-02-05T08:08:42.48456+00:00","End":"2018-02-05T08:08:42.5158124+00:00","RequestType":5}
{"TransactionId":"570978b406264e398d888cd8b49f867d","ParentId":"c0114983065a45fb83efa433f093ce06","RequestId":"0d1438b1e8af4021a7848314f9e88daf","Customer":"86c62bf7f6ee4a1ab004e7e33ad9068a","Action":"TestRun","Start":"2018-02-05T08:08:42.634785+00:00","End":"2018-02-05T09:54:19.5054132+00:00","RequestType":16}
{"TransactionId":"570978b406264e398d888cd8b49f867d","ParentId":"0d1438b1e8af4021a7848314f9e88daf","RequestId":"bb95c271d2ef412d89bebe74f5db4aff","Customer":"86c62bf7f6ee4a1ab004e7e33ad9068a","Action":"UpdateTaskExecutionHistory","Start":"2018-02-05T09:54:48.2226293+00:00","End":"2018-02-05T09:54:48.2382566+00:00","RequestType":5}
The sequence is always the same, i.e. first we have request type 3, then 5, then 16 and then 5.
Request ID of the first event is the parent ID of second.
The Only parameter common in all events in the TransactionId.
In the above example, Event with RequestType 16 was logged almost 106 minutes after event with RequestType 5 was logged.
I need the Customer and Action from the events whose requestType 16 is not received in real-time.
For e.g. If event with request type 5 is logged at 0500 UTC and search is run at 0700 UTC, I would like to get the customer and action of the event whose requestType 16 is still not logged.
I tried something like-
sourcetype=test TransactionId=* RequestType=3 | eval epocs=strptime(Start, "%Y-%m-%dT%H:%M:%S.%f") | eval epoce=strptime(End, "%Y-%m-%dT%H:%M:%S.%f") | stats max(_time) as last_time by Customer, TransactionId | eval latency_minutes=((now()-last_time)/60) | convert ctime(last_time) as last_time | fields + Customer, TransactionId, last_time, latency_minutes
But it didn't help.
... View more