transaction
Description
The transaction command combines sequential events into one transaction if values of the specified comparison fields match exactly. Start and end conditions are defined in optional arguments.
Syntax
transaction <field-list> [timefield=<timefield>] [maxspan=<span>] [maxpause=<span>] [maxevents=<int>] [startswith=<search-expression>] [endwith=<search-expression>] [<rawfield>=<field>] [keepevicted=<boolean>]
Required Arguments
| Parameter | Syntax | Description |
|---|---|---|
<field-list> | <field> [, <field>] | List of fields to compare. |
Optional Arguments
| Parameter | Syntax | Default | Description |
|---|---|---|---|
timefield | timefield=<field> | @timestamp | The name of the field containing the timestamp. |
rawevent | rawevent=<field> | Defines the field whose values are concatenated into one string in the order events enter the transaction. The resulting string overwrites the specified field. | |
maxspan | maxspan=<span> | no limits | Events that fall outside the specified period are added to a new transaction. |
maxpause | maxpause=<span> | no limits | Events that fall outside the specified period are added to a new transaction. |
maxevents | maxevents=<int> | no limits | Maximum number of events in a transaction. |
startswith | startswith=<search-expression> | none | Defines the condition an event must match to be treated as the start of a transaction. |
endswith | endwith=<search-expression> | none | Defines the condition an event must match to be treated as the end of a transaction. |
keepevicted | keepevicted=<boolean> | false | Controls whether evicted transactions are returned in output. |
The following time format is allowed: (+|-)<int>(s|m|h|d|w|month):
- s/sec/secs/second/seconds - seconds
- m/min/mins/minute/minutes - minutes
- h/hr/hrs/hour/hours - hours
- d/day/days - days
- w/week/weeks - weeks
- mon/month/months - months
If source events contain duration, eventcount, or closed_txn, they are overwritten by transaction statistics. If rawevent exists in source events and the rawevent option is set, that field is overwritten in results.
Query Examples
Example 1
Search for long-running jobs.
... | transaction job_id
| where duration > 120
Events with the same job_id are grouped into transactions, then filtered by duration.
Example 2
Track user sessions with time limits.
... | transaction session_id maxspan=10m maxpause=30s
Events with the same session_id are grouped. A transaction ends if total sequence duration exceeds 10 minutes or pause between events exceeds 30 seconds.
Example 3
Successful purchase flow in an online store.
... | transaction JSESSIONID, clientip startswith=(action="view") endswith="purchase" rawevent=action
Events are grouped by JSESSIONID and clientip. The transaction starts with view and ends with purchase.
Example 4
All user actions in an online store.
... | transaction JSESSIONID, clientip startswith=(action="view") endswith="purchase" maxspan=5m keepevicted=true
Includes both successful and evicted transactions due to keepevicted=true.