Collating results from two different message

Comments

1 comment

  • Official comment
    Avatar
    Matt Sullivan

    Hi Sundar,

    It will be difficult without seeing more context to provide a precise query for this one. Some questions I would have:

    1. Are there jobs besides ABB that need to be handled?
    2. Statuses beyond started and success that you care about?
    3. Will there be multiple instances of ABB_START_JOB that overlap each other?

    Whatever the answers, it's likely that transactionize + merge will help solve the problem.

    An example to get you started that would parse above and treat each STATUS:STARTED as the beginning of a new transaction. It assumes all logs have xxx_START_JOB form, with xxx being the job name, e.g. ABB

    <your scope>
    | parse "JOB_NAME: * " as job_status, "START_TIME:* " as start, "END_TIME:* " as end, "STATUS:* " as status
    | split job_status delim='_' extract 1 as job
    | transactionize job as jobid startsWith="STATUS:STARTED" (merge job takeFirst, start takeFirst, end takeLast, status takeLast)
    Comment actions Permalink

Please sign in to leave a comment.