The transaction command lets you group events based on their proximity to other events. This proximity is determined either by ranges of time, or by specifying the text contained in the first and/or last event in a transaction.
This is an expensive process, but is sometimes the best way to group certain events. Unlike other transforming commands, when using transaction, the original events are maintained, and are grouped together into multivalued events.
Some rules of thumb for the usage of transaction are as follows:
- If the question can be answered using stats (and it often can), it will almost always be more efficient.
- All the events needed for the transaction have to be found in one search.
- When grouping is based on field values, and all the events need at least one field in common with at least one other event, then it can be considered as part of the transaction. This doesn't mean that every event must have the same field, but that all events should have some field from the list of fields specified.
- When grouping is based solely on startswith and endswith, it is important that transactions do not interleave in the search results.
- Every effort should be made to reduce the number of open transactions, as an inefficient query can use a lot of resources. This is controlled by limiting the scope of time with maxspan and maxpause, and/or by using startswith and endswith.
Let's step through a few possible examples of the transaction command in use.