Database Reference
In-Depth Information
Creating a transaction
You can group events as a transaction. The
transaction
command creates two fields:
• Duration, which is the difference between timestamps for the first and last events
• Eventcount, which is the number of events in the transaction
For example, you can use the transaction command to create a chart to show the number of
transactions based on client IP address, a maximum pause of 1 hour, output evicted transac-
tions (
keepevicted=true
), and output original events in the order they arrived (
mvl-
ist=true
). The case function sets the name of transactions where
eventcount=1
to
"Bounced"
,
2-5 pages
to
"2-5 pages"
, and where it is <=10 to "6-10 pages". It
places a top limit on these transactions of 4,000 and distinguishes these bins of eventcounts
as
user_type
. The steps used are shown here:
1. Insert the following code in the search bar:
sourcetype=access* | transaction clientip maxpause=1h
keepevicted=t mvlist=t | eval
user_type=case(eventcount=1, "Bounced", eventcount<5,
"2-5 pages", eventcount<=10, "6-10 pages") | top
limit=4000 user_type
2. Change the type to
Pie
by clicking on the icon in the upper-left corner of the
Visu-
alizations
tab.
Your chart should look like what is shown in the following screenshot:
