Re: Filtering Events

Deepz2612 · ‎10-05-2019

Hi,
I would want to know the current event and the after event of that particular current event.

1.First i would want to search for a particular number sequence 12345.
2.Then find the event that occurs right after it.
3.I want the result to have both the events.
4.index,source and sourcetype for both the events are same.

Example:

In the below set of data,

Srvcs.APIController - Start - [12345]
Srvcs.evntcontroller - service not found
Srvcs.APIController - attempting

Srvcs.APIController - Start - [12345]
Srvcs.errcontroller - invalid call
Srvcs.APIController - attempting

Result i want is

Srvcs.APIController - Start - [12345]
Srvcs.evntcontroller - service not found

And for the second set

Srvcs.APIController - Start - [12345]
Srvcs.errcontroller - invalid call

Kindly help me with this

woodcock · ‎10-06-2019

Like this:

| makeresults 
|  eval raw="Srvcs.APIController - Start - [12345]
Srvcs.evntcontroller - service not found
Srvcs.APIController - attempting
Srvcs.APIController - Start - [12345]
Srvcs.errcontroller - invalid call
Srvcs.APIController - attempting"
| makemv delim="
" raw
| mvexpand raw

| rename COMMENT AS "Everything above generates sample events; everything below is your solution"

| streamstats count AS _serial
| eval _time = _time + _serial
| rename raw AS _raw
| sort 0 - _time
| reverse
| streamstats count(eval(searchmatch("[12345]"))) AS sessionID
| dedup 2 sessionID
| stats min(_time) AS _time values(_raw) AS events BY sessionID

richgalloway · ‎10-05-2019

This sounds like a job for transaction.

index=foo source=bar sourcetype=baz | transaction startwith="12345" maxevents=2 | ...

---
If this reply helps you, Karma would be appreciated.

Deepz2612 · ‎10-05-2019

But that doesnt seem to work.
I tried but it is showing some other event and not this

Filtering Events

Troubleshooting the OpenTelemetry Collector

Adoption of Infrastructure Monitoring at Splunk

Modern way of developing distributed application using OTel