I have a log that tracks fruit names (Ok, not really, but let's go with that) over the course many log entries comprising a session. All valid session contain exactly 1 banana and 1 orange, and may also contain pineapple, kiwi, apple and kumquats. Sessions always end with orange, but they can start with any other fruit, and all sessions last less than 15 minutes. Edit: Sadly, sessions lack a session ID, so I'm using Transaction to infer when sessions start and end.
Occasionally there are invalid sessions (Rotten Fruit) which are indicated by more than 1 banana in the same transaction as an Orange.
How can I write a transaction to kick out transactions like this:
> v.fruit_session=1 fruit=kumquat> v.fruit_session=1 fruit=banana> v.fruit_session=1 fruit=pineapple> v.fruit_session=1 fruit=banana> v.fruit_session=1 fruit=orange
but keep transactions like this?
>v.fruit_session=2 fruit=kumquat>v.fruit_session=2 fruit=banana>v.fruit_session=2 fruit=pineapple>v.fruit_session=2 fruit=orange
------------>v.fruit_session=3 fruit=banana>v.fruit_session=3 fruit=kumquat>v.fruit_session=3 fruit=pineapple>v.fruit_session=3 fruit=orange
Here's what I'm using today:
index=prod-fruit | transaction v.fruit_session endswith=v.fruit=orange maxspan=15m unifyends=true | table v.fruit_session_id, duration, _time, eventcount
I think the endswith makes it so I always end on Orange, and the maxspan15 min keeps my events from growing too large, and unifyends makes it so I don't have orphans. But I think I could still get double bananas.
↧