Hi,
can some one please advice how can we implement data model for below scenario? this query has transaction and it also includes subsearch in it?
index=idx sourcetype=hadoop(host=l*pv*) ( EventDesc ="Got Request*" OR (EventDesc ="*Finished processing for request map*" AND tt_total >1000) ) |eval Platform =if(sourcetype=="hadoop:app:opera", "OPERA","Fingerprint") | search Platform="*" | transaction host pub_guid startswith="Got Request*" endswith="*Finished processing for request map*" maxevents=2 | where tt_total >1000 |eval Market =replace(mkt_cd, "\"","") |search Market="*" |stats count by Market |append [search index=imdc_vms sourcetype="hadoop:app:tomcat:catalina" (host=l*pv*) ( "Called get*" OR ("Call to Response *took*" AND tt_total >1000) ) |eval Platform =if(sourcetype=="hadoop", "OPERA","Fingerprint") | search Platform="*" | transaction host startswith="Called get*" endswith="Call to Response *took*" maxevents=2 | where tt_total >1000 |rename market as Market |search Market="*" |stats count by Market ] |stats sum(count) by Market
Thanks
↧