![]() ![]() ![]() By the way, I think the time on your indexer is off by a minute or two. AND transaction isn't even the best way to do this, but it is "good enough" usually and the way it groups events is very useful when you aren't sure what all you want to do with the resulting group and is easy to understand.Ģ It creates a duration based on the _time of the events, using the difference between first and last. In bigger data sets (thousands or millions of events) the difference could be many orders of magnitude. greater than 2 events), the join will get VERY slow and even transaction will be significantly faster. | fields - d1 d2 or whatever.ġ I made up 173.54, but in larger data sets (e.g. Oh, one last note - leave them in to check your work and that it's doing the right math and stuff, but you can always remove fields at the very end like. I think if you want to do more or have more specific questions on this, first try playing around with it a bit, but if you get stuck I'd say a new question would probably be your best bet! index=UAT_Ncache_UserSearchesInfo OR index=UAT_Ncache_BookingInfo For instance, we can overwrite the default-created duration with your own by adding that logic to the end. To this if you'd like to do more we certainly can. If you try some timeframe that seems reasonable, you can check it by looking at the field "eventcount" I think and confirming there are no oddities there. If you can reasonably say that will always be less than a minute, set it to 2m or something slightly higher. What it does is make transaction way more efficient by telling it how far forward/back in the event timestream it needs to look for the matching searchid to close the transaction and create the group. Note please that you'll need to adjust your maxspan=10m to something reasonable for you. Even with it being incomplete, it should take all the events from either index and group them on searchid, making each group a single event. Now, that's ONLY a sample, it's not complete because "duration" it creates is not the duration you want 2. index=UAT_Ncache_UserSearchesInfo OR index=UAT_Ncache_BookingInfo | eval date=substr(date,1,16) | transaction maxspan=10m searchid Given that you seem to be able to group these on searchid, try this using transaction. The docs on Join even point this out and give alternates for other possible ways to do this. Join is a wonderful command, but 95% or more of the time it's not needed and is practically always the slowest way to do something. That should then do what you want, try it and let us know! You can leave that off it it'll always be very small numbers. The eval duration=d1-d2 subtracts the two to get your duration, then the last statement just reformats the duration to be something other than seconds. seconds) which makes them easy to subtract. The two strptime things convert the date/time strings into epoch times (e.g. Now, I think every single time I write these I get my subtraction backwards, so just change duration=d1-d2 to duration=d2-d1 if necessary. | eval duration=tostring(duration, "duration") index=UAT_Ncache_UserSearchesInfo searchid="8e0aa7bf-9346-453b-870d-2639e7c8d287" | eval date=substr(date,1,16) | fields date,searchid | join type=outer searchid Note it got long enough I busted my additional parts into separate lines. Now, while I say that it's that simple, it probably isn't because you'll likely need to convert those text-type date/time strings into something easier to add and subtract with and convert it back into something readable. index=UAT_Ncache_UserSearchesInfo searchid="8e0aa7bf-9346-453b-870d-2639e7c8d287" | eval date=substr(date,1,16) | fields date,searchid | join type=outer searchid | eval duration = date-endtime Actually three - one using your search that won't work, one that should, then one that's 173.54 times as fast 1.įirst, using your search you simply need to add an eval to create the new field after your join. Two answers: one using your search, then another that should end up 173.54 times as fast 1. ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |