Hello Everyone,
I am trying to identify the system failure based on the below sample data :-
ABCD AB1234 USERID SYSTEM
ABCD AB1234 XXXXX
ABCD AB1234 YYYYY
ABCD AB1234 ZZZZZZ
ABCD AB1234 FAILD
ABCD AB1231 USERID USER1
ABCD AB1231 XXXXX
ABCD AB1231 YYYYY
ABCD AB1231 ZZZZZZ
ABCD AB1231 FAILD
ABEF AB1235 USERID SYSTEM
ABEF AB1235 XXXXX
ABEF AB1235 YYYYY
ABEF AB1235 ZZZZZZ
ABEF AB1235 FAILD
DEFG AB1231 USERID SYSTEM
DEFG AB1231 XXXXX
DEFG AB1231 YYYYY
DEFG AB1231 ZZZZZZ
DEFG AB1231 FAILD
DEFG AB1231 USERID USER2
DEFG AB1231 XXXXX
DEFG AB1231 YYYYY
DEFG AB1231 ZZZZZZ
DEFG AB1231 FAILD
First column represent JOBNAME, second JOBID and third MSGTXT
The JOBNAME and JOBID combination is unique for a process. I am trying to get the count on FAILD for only USERID SYSTEM appearing in MSGTXT field by first two chars of JOBNAME
I tried using TRANSACTION command as below but it didn't gave me expected results.
index=system_data JOBID=* JOBNAME=*
| transaction JOBNAME JOBID keepevicted=1 startswith="*USERID SYSTEM*" endswith="*FAILD*"
| eval JOB = substr(JOBNAME,1,2)
| stats values(eventcount) as failures by JOB
| where eventcount>0
I am expecting the output to be as
AB 2
DE 1
Please assist.
Thank you
↧