Hi all, I've got two queries I'm trying to combine to track authorizations that are completed, or expire after a period of seven days. The first query gets all of the authorizations sent, filtered by a unique AccountNum. Query 1: earliest=-8d@d latest=-7d@d sourcetype="PCF:log" cf_app_name=app1 "Sending authorization"
| rex field=msg "BAN: (?<AccountNum>\w+)" | dedup AccountNum The second query returns all authorizations that have expired after a period of inactivity. Query 2: earliest=@d latest=now sourcetype="PCF:log" cf_app_name=app2 "authorizationExpired"
| rex field=msg ",ban:(?<AccountNum>\w+)" | dedup AccountNum The closest I've gotten to combining them how I need is: Query 3: earliest=-8d@d latest=-7d@d sourcetype="PCF:log" cf_app_name=app1 "Sending authorization"
| rex field=msg "BAN: (?<AccountNum>\w+)" | dedup AccountNum
| append
[search earliest=@d latest=now sourcetype="PCF:log" cf_app_name=app2 "authorizationExpired"
| rex field=msg ",ban:(?<AccountNum>\w+)" | dedup AccountNum ]
| fields msg | eval action=case( match(msg,"Sending authorization+"), "Total Authorizations Sent", match(msg,"authorizationExpired+"), "Authorizations Expired")
| stats count(msg) by action However, there are two mistakes/gaps with this third query. The first problem is I need the second query to only return results where AccountNum in query 2 is matching an AccountNum in query 1. Secondly, I'd like to have a pie chart of Authorizations Expired (query 2) vs Authorizations Complete (total - expired = complete) but I'm struggling with the syntax on how to achieve that. This third query shows total + expired, where expired is actually a subset of total. I guess a third thing would be I don't know that append is really what I need or if there's a better, more performant way to construct this query? I'd love to learn any helpful tips or tricks! Greatly appreciate any help
... View more