transaction command lets you group events based on their proximity to other events. This proximity is determined either by ranges of time, or by specifying the text contained in the first and/or last event in a transaction. This is an expensive process, but is sometimes the best way to group certain events. Unlike other transforming commands, when using
transaction, the original events are maintained and instead are grouped together into multivalued events.
Some rules of thumb for the usage of
transaction are as follows:
stats, it will almost always be more efficient.