Hi,
I am trying to extract sequence of events from logs by using `transaction` command. I am looking for sequence of six events. It works well as long as the first and the last events are not the same but when they are same, it just lists every line in the log individually matching the value in the **startswith**/**endswith**.
Here is my search :
index=myindex source=/my/folder/raw.log.gz xxx.xxx.xxx.xxx | sort -Time | eval ip="xxx.xxx.xxx.xxx" | transaction ip startswith="win_event=4624" endswith="win_event=4624" maxevents=6| search eventcount=6
In this search, I am searching for all the logs for an IP, sorting them (as transaction returns an error if not sorted), creating an IP field as it is not there, and generating a transaction for this IP to extract log lines that have `win_event=4624` as starting and ending event. I want all the six events including 4624 that occur between two 4624. This search only works when **startswith** and **endswith** do not have the same value.
I also tried the following variation but it didn't work either:
| sort -Time | eval ip="xxx.xxx.xxx.xxx" | streamstats window=6 current=true last(win_event) AS win_event_last first(win_event) AS win_event_first | transaction startswith="win_event_first=4624" endswith="win_event_last=4624" maxevents=6
↧