I have a transaction overlap issue. The output below is my data from search query with a transaction command. Here is my search query:
**Search**
index=* (sourcetype=InCharge-Traps AND (State="Notify" OR State="Clear")) OR (sourcetype=SAM_Audit AND (eventtype="Notification Notify" OR eventtype="Notification Clear")) source!="D:\\InCharge\\SAM\\smarts\\local\\logs\\TRAP-INCHARGE-OI_en_US_UTF-8.log"
[| inputlookup New_SLA_Targets where Alert="y"
| fields InstanceName EventName]
| lookup New_SLA_Targets InstanceName EventName OUTPUT Service Target Type Dev_Needed Status Weight SecsDown StartTime EndTime
| sort _time
| transaction Service InstanceName EventName Type startswith=(State="Notify" OR eventtype="Notification Notify") endswith=(State="Clear" OR eventtype="Notification Clear")
| concurrency duration=duration
| eval stime=strftime(_time, "%H:%M:%S")
| eval stime_epoch=_time
| eval etime_epoch=stime_epoch+duration
| eval etime=strftime(etime_epoch, "%H:%M:%S")
| where stime>StartTime AND etimeSecsDown,"Y","N"))
| where Active="Y"
| table _time stime_epoch stime etime_epoch etime duration concurrency InstanceName EventName
**Output**
_time stime_epoch stime etime_epoch etime duration concurrency InstanceName EventName
2017-08-28 10:13:19 1503933199 10:13:19 1503933383 10:16:23 184 1 ualbuacwas5 Down
2017-08-28 10:17:15 1503933435 10:17:15 1503941278 12:27:58 7843 1 ualbuacwas4 Down
2017-08-28 12:22:35 1503940955 12:22:35 1503941180 12:26:20 225 2 ualbuacwas5 Down
2017-08-28 12:29:39 1503941379 12:29:39 1503945457 13:37:37 4078 1 ualbuacwas4 Down
2017-08-28 13:13:43 1503944023 13:13:43 1503947722 14:15:22 3699 2 ualbuacwas5 Down
I need to identify and report the overlapping transactions and the overlapping duration. All other duration's are not important.
So, if you look at the output stime_epoch 1503933435, the end of that transaction overlaps the next at stime_epoch 1503940955. This is the record with the concurrency of 2. I have two overlaps in my data and need to report on the duration of just the overlap. I believe in my example above, it would be 323 seconds. My second would be 1434.
At this point I am stuck. I'm sure that someone out there can help me out.
Thanks in advance,
Rcp
↧