If the value is negative, the maxspause constraint is disabled.Requires there be no pause between the events within the transaction greater than maxpause.Specifies the maximum pause between transactions.Defaults to maxspan=-1, for an "all time" timerange.Can be in seconds, minutes, hours or days.Set the maximum duration of one transaction.The only value supported currently is closest.Specify the matching type to use with a transaction definition.A search result that has no host value can be in a transaction with a result that has host=mylaptop.| transaction host, then a search result that has host=mylaptop can never be in the same transaction as a search result with host=myserver. Events with common field names and different values will not be grouped.If set, each event must have the same field(s) to be considered part of the same transaction.This is a comma-separated list of fields, such as.Sourcetype=access_* | transaction name=web_purchase maxevents=5 For example, if web_purchase, the transaction rule you're invoking, is configured with maxevents=10, but you'd like to run it with a different value for maxevents, add maxevents to the search string with the value you want: If other arguments are provided, they overule values specified for the same arguments in the transaction rule. Use this to invoke a transaction type that you have already configured for reuse. Specifies the name of a stanza from nf.Note: Some transaction options do not work in conjunction with others. For more information see the topic on the transaction command in the Search Reference manual.įollow the transaction command with the following options. For best search performance, craft your search and then pipe it to the transaction command. transactiontype is the name of the transaction (as defined in nf by the transaction's stanza name).duration contains the duration of the transaction (the difference between the timestamps of the first and last events of the transaction).Transactions also have additional data that is stored in the fields: duration and transactiontype. Transactions returned at search time consist of the raw text of each event, the shared event types, and the field values. To use transaction, either call a transaction type (that you configured via nf), or define transaction constraints in your search by setting the search options of the transaction command. The transaction command yields groupings of events which can be used in reports. Search for transactions using the transaction command either in Splunk Web or at the CLI. Similar events from different hosts and different sources.Different events from different sources from the same host.Different events from the same source and the same host.You can search for related events and group them into one single event, called a transaction (sometimes referred to as a session). Identify and group events into transactions
0 kommentar(er)
