I have a search using transaction and the startswith/endswith but I don't know how to call the Task_time field in the starts with of my transaction "Encode Time" and the Task_time field in the ends with "Transfer Time"?
You can use eval to achieve this, by evaluating those fields before the transaction. Suppose the initial event includes the word "Encode" and the final event contains the word "Transfer": For example:
... | eval Encode_Time=if(searchmatch("Encode"), Task_time, null())
| eval Transfer_time=if(searchmatch("Transfer",Task_time, null()
| transaction <uid>
Alternately, if the Encode event really starts the transaction and the Transfer event really ends it, you can just use eval after the transaction to pick the values of the Task_time multivalued field:
... | transaction <uid>
| eval Encode_time = mvindex(Task_time, 0)
| eval Transfer_time = mvindex(Task_time, -1)
keep getting "Error in 'fieldformat' command: Typechecking failed. '/' only takes numbers."
You can put those at the very end, but you have to do it twice, once for each of the fields "Encode" and "Transfer", not for "Task_time". Also, you can combine the two. For instance, add: | fieldformat Encode = tostring(Encode/1000, "duration") | fieldformat Transfer = tostring(Transfer/1000, "duration")
where do I stick this, which converts milaseconds to HH:MM:SS?
eval inSec = Task_time / 1000 | fieldformat Task_time = tostring(inSec, "duration")
Like in the original answer, you have two choices:
eval Encode=if(searchmatch("Encode completed", Task_time, null())
and eval Transfer=if(searchmatch("PUSH completed", Task_time, null())
. This will leave each transaction with one value for Encode, and one value for Transfer.hehe - ok finally that gets me down to the two lines per task_id that I'm looking for. Next is since both the encode and the copy line have a value for Task_time, how do I rename the enocde Task_time field as one thing and the copy as another?
You're absolutely right. Take out the NOT.
why would I add NOT if the encode and copy strings are exactly what I'm trying to get?
They each have one Task_time field per task_id
If you want to exclude other events from the transaction, you can add to the search part before the first pipe: NOT ("SUCCESS : 100% : Encode completed" OR "SUCCESS : 100% : (PUSH) completed"
.
Are you saying that the "Encode" and "Copy Transfer" fields have more than one value each?
doesent seem to work i get all the resutls within my start/end transaction. Not just the two above that I'm looking for. They all have
Task_time fields and I cant tell which ones are which if I cant rename them approprately.
You should be able to search:
index=myindex sourcetype=box-app host=box04* OR host=box050 | transaction task_id startswith="SUCCESS : 100% : Encode completed" endswith="SUCCESS : 100% : (PUSH) completed" | eval Encode = mvindex(Task_time, 0) | eval "Copy Transfer" = mvindex(Task_time, -1) | table "Encode" "Copy Transfer"
Here's my search as it currently stands:
index=myindex sourcetype=box-app host=box04* OR host=box050 | transaction task_id startswith="SUCCESS : 100% : Encode completed" endswith="SUCCESS : 100% : (PUSH) completed" | eval starswith = mvindex(Task_time, 0) | rename Task_time AS " Encode" | eval endswith = mvindex(Task_time, -1) | rename Task_time AS "Copy Transfer" | fields " Encode" "Copy Transfer"
hmm ok I think we are getting somewhere, but encode and transfer are not really events they are simply strings. I'm forcing them to be the first and last in the transaction by using the starts with/ends with parameters