Identify state depending on one or more log lines

Question

I have logs for file imports

01-01-21 10:00:00  File Read   , filename_a
01-01-21 10:00:01  File failed , filename_a
01-01-21 10:00:01  File Read   , filename_b
01-01-21 10:00:02  File failed , filename_a
01-01-21 10:00:03  File succeed, filename_a
01-01-21 10:00:04  File failed , filename_b

how can I detect that file "a" has been successfully imported, while file "b" is in a failure mode?

I've tried transaction but to no avail.

Answer 1

Once you have the status and filename fields extracted, select the most recent event for each file. That will tell you the current status.

index=foo
| rex "File (?<status>\w+)\s*, (?<filename>.*)
| dedup filename