You can find an example of search macro and transaction combination in Search macro examples. Make a transaction search and then save it with $field$ to allow substitution. Transactions and macro searches are a powerful combination that allows substitution into your transaction searches. eval bool expression: eval(distance/time is a valid eval expression that evaluates to a boolean.is a valid search expression that contains quotes.is a valid search expression that does not contain quotes.endswith=eval(speed_field is defined with the following syntax:.A search or eval-filtering expression which, if satisfied by an event, marks the end of a transaction.A search or eval-filtering expression which, if satisfied by an event, marks the beginning of a new transaction.If the value is negative, the maxspause constraint is disabled.Requires there be no pause between the events within the transaction greater than maxpause.Specifies the maximum pause between transactions.Defaults to maxspan=-1, for an "all time" timerange.Can be in seconds, minutes, hours or days.Set the maximum span across events in a transaction.The only value supported currently is closest.Specify the matching type to use with a transaction definition.A search result that has no host value can be in a transaction with a result that has host=mylaptop.|transaction host, then a search result that has host=mylaptop can never be in the same transaction as a search result with host=myserver. Events with common field names and different values will not be grouped.If set, each event must have the same field(s) to be considered part of the same transaction.This is a comma-separated list of fields, such as.Note: Some transaction options do not work in conjunction with others. For more information see the topic on the transaction command in the Search Reference manual.įollow the transaction command with the following options. For best search performance, craft your search and then pipe it to the transaction command.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |