Databases Reference
In-Depth Information
2.
This is attached to the next innermost search (2), like this:
sourcetype=mail out
(msgid=123456)
| fields out
3.
The results of this search are attached to the outermost search (3), like this:
(out=987)
sourcetype=mail to
This is the final query, which returns the answer we are looking for:
... out=987 to=bob@vendor1.co.uk
Using transaction
The
transaction
command lets you group events based on their proximity
to other events. This proximity is determined either by ranges of time, or by
specifying the text contained in the first and/or last event in a transaction.
This is an expensive process, but is sometimes the best way to group certain
events. Unlike other transforming commands, when using
transaction
, the original
events are maintained and instead are grouped together into multivalued events.
Some rules of thumb for the usage of
transaction
are as follows:
• If the question can be answered using
stats
, it will almost always be
more efficient.
• All of the events needed for the transaction have to be found in one search.
• When grouping is based on field values, and all of the events need at least
one field in common with at least one other event, then it can be considered
as part of the transaction. This doesn't mean that every event must have
the same field, but that all events should have some field from the list of
fields specified.
• When grouping is based solely on
startswith
and
endswith
, it is important
that transactions do not interleave in the search results.
• Every effort should be made to reduce the number of open transactions, as
an inefficient query can use a lot of resources. This is controlled by limiting
the scope of time with
maxspan
and
maxpause
, and/or by using
startswith
and
endswith
.
Let's step through a few possible examples of the
transaction
command in use.
Search WWH ::
Custom Search