Pack pause all timely3/25/2023 ![]() Syntax: | () | eval() Description: A search or eval filtering expression which if satisfied by an event marks the end of a transaction. These options are used with the startswith and endswith arguments. unifyends Syntax: unifyends= true | false Description: Whether to force events that match startswith/endswith constraint(s) to also match at least one of the fields used to unify events into a transaction. Default: 1000 startswith Syntax: startswith= Description: A search or eval filtering expression which if satisfied by an event marks the beginning of a new transaction. If the value is negative this constraint is disabled. Default: -1 (no limit) maxevents Syntax: maxevents= Description: The maximum number of events in a transaction. If value is negative, the maxpause constraint is disabled and there is no limit. Default: -1 (no limit) maxpause Syntax: maxpause= Description: Specifies the maximum length of time in seconds, minutes, hours, or days for the pause between the events in a transaction. If the value is negative, the maxspan constraint is disabled and there is no limit. Events that exceed the maxspan limit are treated as part of a separate transaction. The events in the transaction must span less than the integer specified for maxspan. Default: false maxspan Syntax: maxspan= Description: Specifies the maximum length of time in seconds, minutes, hours, or days that the events can span. The results that are passed through as "orphans" are distinguished from transaction events with a _txn_orphan field, which has a value of 1 for orphan results. keeporphans Syntax: keeporphans=true | false Description: Specify whether the transaction command should output the results that are not part of any transactions. Default: true endswith Syntax: endswith= Description: A search or eval expression which, if satisfied by an event, marks the end of a transaction. If an event contains fields required by the transaction, but none of these fields have been instantiated in the transaction (added with a previous event), this opens a new transaction (connected=true) or adds the event to the transaction (connected=false). Txn definition options connected Syntax: connected= Description: Only relevant if a field or fields list is specified. You can use multiple options to define your transaction. txn_definition-options Syntax: | | | | | | | Description: Specify the transaction definition options to define your transactions. They are not required, but you can use 0 or more of the options to define your transaction. rendering-options Syntax: | | | Description: These options control the multivalue rendering for your transactions. If you provide other transaction definition options (such as maxspan) in this search, they overrule the settings in the configuration file. This runs the search using the settings defined in this stanza of the configuration file. name Syntax: name= Description: Specify the stanza name of a transaction that is configured in the nf file. memcontrol-options Syntax: | | Description: These options control the memory usage for your transactions. For each client_ip value, a separate transaction is returned for each unique host value for that client_ip. For example, suppose two fields are specified: client_ip and host. The events are grouped into transactions, based on the unique values in the fields. ![]() ![]() See About transactions in the Search Manual. The values in the eventcount field show the number of events in the transaction. The values in the duration field show the difference between the timestamps for the first and last events in the transaction. Transactions are made up of the raw text (the _raw field) of each member, the time and date fields of the earliest member, as well as the union of all other fields of each member.Īdditionally, the transaction command adds two fields to the raw events, duration and eventcount. The transaction command finds transactions based on events that meet various constraints. ![]()
0 Comments
Leave a Reply.AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |