You need to build transactions from multiple data sources that use different field names for the same identifier. This search retrieves only the events it needs to and is much more efficient. If all your events have the same IP value, this search should be: sourcetype=x ip=1.2.3.4 | transaction field=ip maxpause=15s Here we are retrieving all events of sourcetype=x, building up transactions, and then throwing away any that don’t have an ip=1.2.3.4. Consider this search: sourcetype=x | transaction field=ip maxpause=15s | search ip=1.2.3.4 No matter what search commands you use, it’s imperative for performance that you make the base search as specific as possible. If instead of an end condition, trade_id values are not reused within 10 minutes, the most viable solution is: … | transaction trade_id maxpause=10m | chart count by durationįinally, a brief word about performance. However, if trade_id values are reused but the last event of each trade is indicated by the text “END”, the only viable solution is: … | transaction trade_id endswith=END | chart count by duration … | stats range(_time) as duration by trade_id ![]() For example, to compute statistics on the duration of trades identified by the unique identifier trade_id, the following searches yield the same answer: … | transaction trade_id In many cases, there may be a unique identifier available, and leveraging stats can be a more efficient approach. This is because search performance for stats is typically better than for the transaction command. However, it is important to note that if neither of these cases is applicable, it is generally recommended to use the stats command instead.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |