Join two lines together after match of the first



  • Avatar
    Tapan Banerjee
    Have you tried the join feature? I have written queries to fetch the time spent in each collector by using the 'join' command. Here is an example. _collector=corral_checkmate_light* | join(parse "Completed * in *ms * {\"trace_id\":\"*\"," as status,t,del,traceId) as completed,(parse "app_url\\\"=>\\\"form/save\\\"}\", \"component\": \"Checkmate\"*{\"trace_id\":\"*\"," as del2,traceId) as saveStatuson completed.traceId=saveStatus.traceId| count(completed_t) as total_save, min(completed_t) as min_checkmate_saveTime, avg(completed_t) as avg_Checkmate_SaveTime,max(completed_t) as max_checkmate_saveTime by completed_status| min_checkmate_saveTime/1000 as min_checkmate_saveTime| avg_Checkmate_SaveTime/1000 as avg_Checkmate_SaveTime| max_checkmate_saveTime/1000 as max_checkmate_saveTime This query may not work for you since it works on the log patterns I have but can help understand how this can be done.
    Comment actions Permalink
  • 0
    Comment actions Permalink

Please sign in to leave a comment.