I have some ironport mail logs, with inside some fields. Someone else out there may have a more streamlined approach, but this should do the trick for you.I would like to construct a complete transaction of a mail session, starting from the customer smtp connection, until the final delivery of the message.
Modifying the illustration by the search would look like this: | stats count | eval event = "end start start" | makemv event | mvexpand event | eval sField=1 | streamstats count | eval _time = now() - count | eventstats max(count) as mCount by sField | transaction startswith="event=start sField=mCount" endswith="event=end" keepevicted=t | streamstats count by gField sField | eventstats max(count) as sFieldMax by sField | transaction gField startswith="sField= count=sFieldOrder" endswith="sField=" I think you can do this using streamstats to count each occurrence of your starting events, using eventstats to find the starting event with the highest count (i.e., the oldest one), and then include that count as a criteria for startswith.įor my example search, assume that gField is the field that contains the common element between your events (like a transaction number, session id, or something like that), and that sField is a field that you use in your startswith criteria. Then instead of picking the first scan-started event in each transaction it picks up the last scan-started in each transaction and as a result duration of my transactions is much shorter than what I really am interested in measuring.
Thank you Martin, unfortuantely I do not have a common element between the events in my transactions.
0 kommentar(er)
