Given this query: (not exact for commerical reasons)
index=prod sourcetype=wps.log module="PXY_*" (`transaction_filter`)
| dedup host _raw
| eval timestamps=_time
| convert timeformat="%s" ctime(_time) as TimeStamp
| search [| inputlookup outages | eval StartTime = strftime(strptime(Start,"%d/%m/%Y, %H:%M"),"%s")
| eval EndTime = strftime(strptime(End,"%d/%m/%Y, %H:%M"),"%s")
| eval search = "(TimeStamp < \""+StartTime+"\" OR TimeStamp > \""+EndTime+"\")"
| fields search | mvcombine search | eval search = "(" + mvjoin(search, " ") + ")"]
I had used this in v5 to filter out results that fell within an outage period. The pre-req for this is a lookup table called 'outages'.
The result of the subsearch looked like this.
((TimeStamp < "1398949200" OR TimeStamp > "1398974400") (TimeStamp < "1399554000" OR TimeStamp > "1399575600") (TimeStamp < "1399726800" OR TimeStamp > "1399748400") (TimeStamp < "1399986000" OR TimeStamp > "1400011200") (TimeStamp < "1400072400" OR TimeStamp > "1400097600") (TimeStamp < "1400418000" OR TimeStamp > "1400443200") (TimeStamp < "1400504400" OR TimeStamp > "1400529600") (TimeStamp < "1400763600" OR TimeStamp > "1400788800") (TimeStamp < "1400763600" OR TimeStamp > "1400778000") (TimeStamp < "1400936400" OR TimeStamp > "1400958000") (TimeStamp < "1401282000" OR TimeStamp > "1401307200") (TimeStamp < "1401454800" OR TimeStamp > "1401516000") (TimeStamp < "1401541200" ))
Before the upgrade, it just worked as it should've. After upgrade, nada. Defect perhaps?
No comments:
Post a Comment