Hi, I need to group events where the first event begins with "Receive message" and grouped by thread id.
But then need to add event from another thread id joined by field value.
For example this is the data
2019-12-03 14:48:54,320 INFO thread1 Received message execId=trade1
2019-12-03 14:48:54,321 INFO thread1 Process message
2019-12-03 14:48:54,325 INFO thread2 Received message execId=trade2
2019-12-03 14:48:54,327 INFO thread2 Process message
2019-12-03 14:48:54,421 INFO thread1 Process again message
2019-12-03 14:48:54,427 INFO thread2 Process again message
2019-12-03 14:48:54,527 INFO sender Send message execId=trade1
2019-12-03 14:48:54,528 INFO sender Send message execId=trade2
First part I am getting with this
source="simple.txt" | rex "^[^ ]*\s+[^ ]*\s+[^ ]*\s+(?[^ ]*)" | transaction threadId startswith="Received message" maxpause=1h
2019-12-03 14:48:54,320 INFO thread1 Received message execId=trade1
2019-12-03 14:48:54,321 INFO thread1 Process message
2019-12-03 14:48:54,421 INFO thread1 Process again message
2019-12-03 14:48:54,325 INFO thread2 Received message execId=trade2
2019-12-03 14:48:54,327 INFO thread2 Process message
2019-12-03 14:48:54,427 INFO thread2 Process again message
But cannot find the way to adjust query to add sender thread event correlated by execId to transaction.
So that in result should be
2019-12-03 14:48:54,320 INFO thread1 Received message execId=trade1
2019-12-03 14:48:54,321 INFO thread1 Process message
2019-12-03 14:48:54,421 INFO thread1 Process again message
2019-12-03 14:48:54,527 INFO sender Send message execId=trade1
2019-12-03 14:48:54,325 INFO thread2 Received message execId=trade2
2019-12-03 14:48:54,327 INFO thread2 Process message
2019-12-03 14:48:54,427 INFO thread2 Process again message
2019-12-03 14:48:54,528 INFO sender Send message execId=trade2
Tried append, join but cannot make it work.
Please advise, thanks
... View more