Hello, all,
I'm trying to find the elapsed time between two events: one containing the string "/makeCreditCardPaymentSD" and the one that follows it.
The transaction is grouped over a field called callid, which is correctly extracted.
The logs from which I'm pulling these events may have thousands of irrelevant events between any two for the same callid, but I'm assuming that doesn't matter.
This is what I came up with for a transaction clause:
| transaction callid startswith="/makeCreditCardPaymentSD" maxevents=2
it works... about 3/4 of the time. All the other times it extracts only one event even though there are definitely more events in the transaction. For example, the search with that transaction clause returned this as one of the transactions (IP address redacted):
20180813,12:02:43.644,http-nio-7000-exec-193,INFO ,WebUtilities.getFileNoCache.119,prdvpsivr802-1124346-2018225185936 | FETCH http://###:8080/Postpaid_HostCall/vxml/jsp/makeCreditCardPaymentSD.jsp
If I change maxevents to 3, and change **nothing else** about the query or time range, I get three events in the transaction for that callid:
20180813,12:02:43.644,http-nio-7000-exec-193,INFO ,WebUtilities.getFileNoCache.119,prdvpsivr802-1124346-2018225185936 | FETCH http://###:8080/Postpaid_HostCall/vxml/jsp/makeCreditCardPaymentSD.jsp
20180813,12:02:47.263,http-nio-7000-exec-193,INFO ,WebUtilities.getFile.57,prdvpsivr802-1124346-2018225185936 | FETCH http://###8080/Payment_CCP/vxml/js/menus/PS4535_DM.js
20180813,12:03:09.899,http-nio-7000-exec-172,INFO ,JavaScriptEngine.log.27,prdvpsivr802-1124346-2018225185936 | DISCONNECT EVENT=connection.disconnect.hangup
I've tried a bunch of variations over keeporphans, keepevicted, maxopentxn, maxopenevents, and so on - nothing helps.
The one thing I've tried that does seem to get the right results is to reverse the incoming events and use endswith instead of startswith:
`| reverse | transaction callid endswith="/makeCreditCardPaymentSD" maxevents=2`
but then "reverse" seems to be using a huge amount of memory.
Any suggestions on how to fix this?
Much obliged,
Sean
ETA: I've managed to mitigate the maxevents conflict by setting startswith AND endswith conditions on the transaction, such that a transaction starts with any event containing /makeCreditCardPaymentSD and ends with any event that doesn't contain it:
| transaction callid startswith=eval(if(searchmatch("/makeCreditCardPaymentSD"),true(),0)) endswith=eval(if(searchmatch("/makeCreditCardPaymentSD"),0,true())) maxevents=2 unifyends=true
with the unifyends seemingly necessary to keep other events from elbowing in.
I'm not sure this is capturing all the events I want, though - there are a smaller number of transactions showing up than I expected. I'll keep testing to make sure.
↧