I have a transaction based on a bunch of events from a common source with a common transaction ID, something like
|"search" | transaction by tid
This will get me results like
2017-04-11 04:20:32,502 tid:10001
2017-04-11 04:20:32,502 tid:10001
2017-04-11 04:20:32,502 tid:10001
2017-04-11 04:20:31,502 tid:10001
-----------------------------------------------------
2017-04-11 04:10:12,502 tid:10000
2017-04-11 04:10:12,502 tid:10000
2017-04-11 04:10:12,502 tid:10000
2017-04-11 04:10:11,502 tid:10000
-----------------------------------------------------
but I need to assciate the transaction events with an event from another source. that source has an outcome that happens within 1s of the transaction in the first source.
2017-04-11 04:20:33,502 src_ip=192.168.1.99 result=success
2017-04-11 04:10:12,502 src_ip=192.168.1.15 result=fail
Is there a way to add events to my transactions or otherwise join based on the last time in the transactions? Ideally I'd like to be able to see results like:
-----------------------------------------------------
2017-04-11 04:20:33,502 src_ip=192.168.1.99 result=success
2017-04-11 04:20:32,502 tid:10001
2017-04-11 04:20:32,502 tid:10001
2017-04-11 04:20:32,502 tid:10001
2017-04-11 04:20:31,502 tid:10001
-----------------------------------------------------
2017-04-11 04:10:12,502 src_ip=192.168.1.15 result=fail
2017-04-11 04:10:12,502 tid:10000
2017-04-11 04:10:12,502 tid:10000
2017-04-11 04:10:12,502 tid:10000
2017-04-11 04:10:11,502 tid:10000
-----------------------------------------------------
↧