I have used the 'transaction' command to isolate transactions that are made up of roughly 45 events each. I have a regex that identifies a TaskName and the TotalMilliseconds for each event, producing 45 matches for each transaction.
Questions:
When I try to filter the transaction (TotalMilliseconds>500, for example), the criteria is applied only against the first match. How can I ensure ALL matches are considered when filtering?
How can in insert a 'tab' character when formatting a concatenated field value? TotalMilliseconds."\t".TaskName and its derivatives do not work.
How can I filter the results to show only matches where TotalMilliseconds<500 (for example)? Any attempt I've made so far has only applied the filter to the FIRST match in my list of 45 values.
Is there any way to force a numeric sort on a string field?
Thanks for looking!
Appendix:
Query:
base search
|rex "rex to find ClientID"
|rex "long rex that finds TaskName and TotalMilliseconds"
|transaction field1 field2 maxspan=5m unifyends=true startswith="beginning" endswith="ending"
|search [[[or, 'where']]] TotalMilliseconds>500 <--neither meets my needs
Results:
ClientID TimeAndTaskName
abc123 1127 (UseCaseA)
12 (UseCaseB)
21 (UseCaseY)
Goal (filtering TotalMilliseconds>20):
ClientID TimeAndTaskName
abc123 21 UseCaseY
1127 UseCaseA
↧