# source the events in chron order (so "start" is before "end")
index=cst sourcetype=mav-golf | reverse
# add a line number / temp id to the events
| eval lc=1 | accum lc
# extract a field to make it easier to deal with action
# not really necessary in this example - could just search for "start" / "end"
| rex field=_raw "ID=\S\s(?<action>\S+)\s" | stats list(action) as action by ID, lc
# find action=start for each identifier and join that back into each row
| join ID type=left [search index=cst sourcetype=mav-golf | reverse | eval lc=1 | accum lc | rex field=_raw "ID=\S\s(?<action>\S+)\s" | search action=start | stats first(lc) as open by ID]
# find action=end for each identifier and join that back into each row
| join ID type=left [search index=cst sourcetype=mav-golf | reverse | eval lc=1 | accum lc | rex field=_raw "ID=\S\s(?<action>\S+)\s" | search action=end | stats last(lc) as close by ID]
# lastly, test each event to see if it's own id is between the start and end.
# if so - count it.
| eval sc = if(lc>open, if(lc<close, 1, 0), 0)
# And then sum up those events which should be counted.
| stats sum(sc) as num_events by ID
Find the number of events within a sequence of events based on a shared identifier. Keywords ("start" and "end") mark the beginning and end of the sequence. The search cannot use the transaction command.
Data like the following:
01/01/2014 01:01:00.003 ID=a start blah blah
01/01/2014 01:01:01.003 ID=d more blah blah
01/01/2014 01:01:02.003 ID=a end blah blah
01/01/2014 01:01:03.003 ID=b start blah blah
01/01/2014 01:01:04.003 ID=c start blah blah
01/01/2014 01:01:05.003 ID=y more blah blah
01/01/2014 01:01:05.006 ID=c more blah blah
01/01/2014 01:01:05.033 ID=c more blah blah
01/01/2014 01:01:06.003 ID=c end blah blah
01/01/2014 01:01:06.033 ID=b more blah blah
01/01/2014 01:01:07.003 ID=b end blah blah
01/01/2014 01:01:08.004 ID=c more blah blah
01/01/2014 01:01:09.005 ID=b more blah blah