Hi, I want to count the number or errors within two keywords say starttran and endtran. My log data would be like
- starttran
- tran Id:1000
- error*
- abc done
- error*
- endtran
My query : sourcetype="abc" | eval haserror=if(searchmatch("error"),1,0) | transaction startswith=starttran endswith=endtran mvlist=haserror | table haserror TRANID
O/P
- haserror / TRANID
- 0
- 0 / 1000
- 1
- 0
- 1
- 0
But i want it like
- haserror / TRANID
- 2 / 1000
I tried using sum(haserror) by TRANID but din't. Kindly help . Also here can't TRANID be used as unique ID ?
Thanks a lot