transaction
Description
The transaction command groups sequential events into a single transaction if the values of the specified fields for comparison match exactly. The conditions for the start and end of a transaction are defined in optional arguments.
Syntax
transaction <field-list> [timefield=<timefield>] [maxspan=<span>] [maxpause=<span>] [maxevents=<int>] [startswith=<search-expression>] [endwith=<search-expression>] [<rawfield>=<field>] [keepevicted=<boolean>]
Required Arguments
| Parameter | Syntax | Description |
|---|---|---|
<field-list> | <field> [, <field>] | List of fields to compare. |
Optional Arguments
| Parameter | Syntax | Default | Description |
|---|---|---|---|
timefield | timefield=<field> | @timestamp | The name of the field containing the timestamp. |
rawevent | rawevent=<field> | The name of the field whose value will be concatenated (single value). | |
maxspan | maxspan=<span> | no limits | Events that fall outside the specified period are added to a new transaction. |
maxpause | maxpause=<span> | no limits | Events that fall outside the specified period are added to a new transaction. |
maxevents | maxevents=<int> | no limit | The maximum number of events in a transaction. |
startswith | startswith=<search-expression> | no specified | Defines the condition an event must meet to be considered the start of a transaction. A transaction is created only after a matching event appears. Each such event starts a new transaction. |
endswith | endswith=<search-expression> | not specified | Defines the condition an event must meet to be considered the end of a transaction. After such an event is added, the transaction is closed. |
keepevicted | keepevicted=<boolean> | false | Specifies whether to output evicted transactions. These are transactions that were started by the startswith condition but not completed by the endswith condition. |
The following time format is allowed: (+|-)<int>(s|m|h|d|w|month):
- s/sec/secs/second/seconds - seconds
- m/min/mins/minute/minutes - minutes
- h/hr/hrs/hour/hours - hours
- d/day/days - days
- w/week/weeks - weeks
- mon/month/months - months
If the source events contain fields duration, eventcount, closed_txn, they will be overwritten by the statistical results of transaction. If the source events contain the rawevent field and the command has the rawevent option specified, the rawevent field in the results will be overwritten.
Query Examples
Example 1
Search for slow tasks.
... | transaction job_id
| where duration > 120
Events with identical job_id are grouped into a transaction. Subsequent filtering is performed for long-running tasks.
Example 2
Tracking a user session with time constraints.
... | transaction session_id maxspan=10m maxpause=30s
Events with the same session_id are grouped into a transaction. The transaction ends if the event sequence lasts more than 10 minutes or the interval between events exceeds 30 seconds.
Example 3
A successful purchase in an online store.
... | transaction JSESSIONID, clientip startswith=(action="view") endswith="purchase" rawevent=action
Events with identical JSESSIONID and clientip are grouped into a transaction. The transaction must start with an event where the action field equals view and end with an event where any field equals purchase. If a transaction has started but then a new event with the value view is encountered, the transaction will close with the status evicted, and a new transaction will begin. The result will include only successful transactions. All user actions within successful transactions will be merged into a single string and written to the action field.
Example 4
All actions in an online store.
... | transaction JSESSIONID, clientip startswith=(action="view") endswith="purchase" maxspan=5m keepevicted=true
In this query, in addition to the startswith and endswith conditions, the maximum transaction duration (maxspan) and the keepevicted parameter are defined. As in the previous example, only event sequences that start with view and end with purchase are grouped into a successful transaction. Additionally, it is checked that the transaction duration must not exceed 5 minutes. Transactions that started but were terminated due to the time limit or a new view event are considered evicted. They will be included in the query result because the keepevicted parameter is set to true.