transaction
Description
Performs search and generates an array of data, grouping it by matches.
Syntax
transaction <field-list> [timefield=<timefield>] [maxspan=<span>] [maxpause=<span>] [<rawfield>=<field>]
Required Arguments
| Parameter | Syntax | Description |
|---|---|---|
<field-list> | <field> [, <field>] | List of fields to compare. |
Optional Arguments
| Parameter | Syntax | Default | Description |
|---|---|---|---|
timefield | timefield=<field> | @timestamp | The name of the field containing the timestamp. |
rawevent | rawevent=<field> | The name of the field whose value will be concatenated (single value). | |
maxspan | maxspan=<span> | no limits | Events that fall outside the specified period are added to a new transaction. |
maxpause | maxpause=<span> | no limits | Events that fall outside the specified period are added to a new transaction. |
The following time format is allowed: (+|-)<int>(s|m|h|d|w|month):
- s/sec/secs/second/seconds - seconds
- m/min/mins/minute/minutes - minutes
- h/hr/hrs/hour/hours - hours
- d/day/days - days
- w/week/weeks - weeks
- mon/month/months - months
warning
If the source events contain fields duration, eventcount, they will be overwritten by the statistical results of transaction. If the source events contain the rawevent field and the command has the rawevent option specified, the rawevent field in the results will be overwritten.
Query Examples
Example #1
... | transaction field1, field2
Example #2
... | transaction field1, field2 maxspan=1m
Example #3
... | transaction field1, field2 maxpause=1m
Example #4
... | transaction field1, field2 maxpause=1m maxspan=1m timefield=myTimeStamp
Example #5
... | transaction field1, field2 maxpause=1m maxspan=1m timefield=myTimeStamp rawevent=message