I have the following log sets, one for success case and one for the failure case
Success:
id=11111 msg=Begin process...
id=11111 msg=check
id=11111 msg=Success...
failure:
id=22222 msg=Begin process...
id=22222 msg=check
id=22222 msg=Fail...
Here I want to check the time between the events using the transaction.
host=* sourcetype=** source="*/example.log" "Begin process*" OR "Success*"
| transaction traceId startswith="Begin process" endswith="Success"
| table traceId duration _time
Above query will give me the transactions of a success case only.
Can we use `AND` Operator in the `endswith` so that I can check the duration between events irrespective of it being a success or failure?
↧