I'm not sure if I can get any help here, but I am going to try cause I've been wrestling with this search/data for a week now.
The setup:
I have log files that have fields and I need to determine the amount of time since a field is x to when a field is y. I am using transaction and concurrency. Here is my search:
index=xxx ALPXX=* SCBXX=* abc12.prod04 | transaction host startswith="ALPXX=re-connecting" endswith="ALPXX=online" | concurrency duration=duration | eval duration=tostring(duration,"duration") | sort 0 _time | where concurrency < 2
Example logs:
[1456793400] SERVICE ALERT: abc12.prod04;xx_yy;WARNING;SOFT;1;ALPXX=re-connecting, SCBXX=online Total=1/2
[1456793700] SERVICE ALERT: abc12.prod04.dqx;xx_yy;OK;SOFT;2;ALPXX=online SCBXX=online Total=2/2
The search works great if the two logs that it's determining the duration for are close to each other, but if there are several `ALPXX=re-connecting` between them, it will skip sometimes over the first instance of `ALPXX=online` and go to one a few logs further along in time. (so basically, our server is reporting these at specific time intervals so when its down, it will say `ALPXX=re-connecting` every 5 mins and when its up it will say `ALPXX=online` every 5 mins)
Can anyone spot something in the search that may be causing me to skip a valid endswith value? Thanks for any insight.
↧