However, stats is meant to calculate statistical values on events grouped by the value of fields, and discards the events. | transaction trade_id maxpause=10m| chart count by duration span=log2īoth are similar in that they allow you to aggregate individual events/lines together. If, instead, trade_ids are not reused within 10 minutes, the solution is. | transaction trade_id endswith=END | chart count by duration span=log2 If, however, trade_ids are reused but each trade ends with some text "END" the only viable solution is. | stats range(_time) as duration by trade_id | chart count by duration span=log2 | transaction trade_id | chart count by duration span=log2Īnd. Often there is a unique id and stats can be used.įor example, to compute statistics on the duration of trades identified by the unique id "trade_id" the following searches will yield the same answer. In other cases, it's usually better to use stats as the performance is higher, especially in a distributed search environment. When it is desirable to see the raw text of the events combined rather than analysis on the constituent fields of the events. In other cases when an identifier is reused, say in DHCP logs, a particular message may identify the beginning or end of a transaction. In this case, time span or pauses are also used to segment the data into transactions. This is the case when the identifier is reused, for example web sessions identified by cookie/client IP. Unique id (from one or more fields) alone is not sufficient to discriminate between two transactions. The transaction command is most useful in two specific cases:
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |