transaction

transaction

Synopsis

Groups events into transactions.

Syntax

transaction [field-list] [name=transaction-name] [txn_definition-opt]* [memcontrol-opt]* [rendering-opt]*

Arguments

field-list

Datatype: <string>, ...

Description: A list of field names.

name

Datatype: <transaction-name>

Description: The name of a transaction definition from transactions.conf to be used for finding transactions. If other arguments (e.g., maxspan) are provided as arguments to transam, they overrule the value specified in the transaction definition.

txn_definition-opt

Datatype: <maxspan> | <maxpause> | <maxeventst> | <startswith> | <endswith> | <connected>

Description: Transaction definition options.

memcontrol-opt

Datatype: <maxopentxn> | <maxopenevents> | <keepevicted>

Description: Memory constraint options.

rendering-opt

Datatype: <delim> | <mvlist>

Description: Multivalue rendering options.

Transaction definition options

connected=<bool>

Description: Relevant if fields is not empty. Controls whether an event that is not inconsistent and not consistent with the fields of a transaction, opens a new transaction (connected=t) or is added to the transaction. An event can be not inconsistent and not consistent if it contains fields required by the transaction but none of these fields has been instantiated in the transaction (by a previous event addition).

endswith=<transam-filter-string>

Description: A search or eval filtering expression which if satisfied by an event marks the end of a transaction.

maxspan=<int>(s|m|h|d)?

Description: The maxspan constraint requires the transaction's events to span less than maxspan. If value is negative, disable the maxspan constraint. By default, maxspan=-1 (no limit).

maxpause=<int>(s|m|h|d)?

Description: The maxpause constraint requires there be no pause between a transaction's events of greater than maxpause. If value is negative, disable the maxpause constraint. By default, maxpause=-1 (no limit).

maxevents=<int>

Description: The maximum number of events in a transaction. If the value is negative this constraint is disabled. By default, maxevents=1000.

startswith=<transam-filter-string>

Description: A search or eval filtering expression which if satisfied by an event marks the beginning of a new transaction.

Transam filter string options

<transam-filter-string>

Syntax: <search-expression> | (<quoted-search-expression>) | eval(<eval-expression>)

Description: A search or eval filtering expression which if satisfied by an event marks the end of a transaction.

<search-expression>

Description: A valid search expression that does not contain quotes.

<quoted-search-expression>

Description: A valid search expression that contains quotes.

<eval-expression>

Description: A valid eval expression that evaluates to a Boolean.

Memory constraint options

keepevicted=<bool>

Description: Whether to output evicted transactions. Evicted transactions are events that do NOT match the transaction parameters; for example, the time range is wrong, or the "startwith" or "endswith" requirements are missing. Evicted transactions can be distinguished from non-evicted transactions by checking the value of the 'closed_txn' field, which is set to '0' for evicted transactions and '1' for closed ones. A transaction is evicted from memory when the memory limitations are reached.

maxopenevents=<int>

Description: Specifies the maximum number of events (which are) part of open transactions before transaction eviction starts happening, using LRU policy. The default value of this field is read from the transactions stanza in limits.conf.

maxopentxn=<int>

Description: Specifies the maximum number of not yet closed transactions to keep in the open pool before starting to evict transactions, using LRU policy. The default value of this field is read from the transactions stanza in limits.conf.

Multivalue rendering options

delim=<string>

Description: A string used to delimit the original event values in the transaction event fields. By default, delim=" ".

mvlist=<bool> | <field-list>

Description: Flag controlling whether the multivalued fields of the transaction are (1) a list of the original events ordered in arrival order or (2) a set of unique field values ordered lexigraphically. If a comma/space delimited list of fields is provided only those fields are rendered as lists. By default, mvlist=f.

Description

Given events as input, finds transactions based on events that meet various constraints. Transactions are made up of the raw text of each member, the time and date fields of the earliest member, as well as the union of all other fields of each member. By default multiple values are separated by a space (' '), but another character can be specified with the 'delim' argument.

This command produces two fields, duration and eventcount. The duration value is the difference between the timestamps for the first and last events in the transaction. The eventcount value is the number of events in the transaction.

Examples

Example 1: Group search results that have the same "host" and "cookie", occur within 30 seconds of each other, and do not have a pause greater than 5 seconds between each event into a transaction.

Example 2: Group search results that share the same value of "from", with a maximum span of 30 seconds, and a pause between events no greater than 5 seconds into a transaction.

• Was this topic useful?
• Post a comment