Cover by Vincent Bumgarner

Stay ahead with the world's most comprehensive technology and business learning platform.

With Safari, you learn the way you learn best. Get unlimited access to videos, live online training, learning paths, books, tutorials, and more.

Start Free Trial

No credit card required

O'Reilly logo

Using transaction

The transaction command lets you group events based on their proximity to other events. This proximity is determined either by ranges of time, or by specifying the text contained in the first and/or last event in a transaction. This is an expensive process, but is sometimes the best way to group certain events. Unlike other transforming commands, when using transaction, the original events are maintained and instead are grouped together into multivalued events.

Some rules of thumb for the usage of transaction are as follows:

  • If the question can be answered using stats, it will almost always be more efficient.
  • All of the events needed for the transaction have to be found in one search.
  • When grouping is based on field values, and all ...

With Safari, you learn the way you learn best. Get unlimited access to videos, live online training, learning paths, books, interactive tutorials, and more.

Start Free Trial

No credit card required