transaction
Collects events together based on some condition to make a single new event
| Field Name | Description | Type | Default |
|---|---|---|---|
| condition | Only run this action if the condition the specified condition is met | expression | - |
| group-by | The field to use to group transactions | field | - |
| start-end | Determine which events begin and which ones end the transaction | StartEnd | - |
| marker | Field value to mark the new event | array of strings | - |
| common-fields | Array of fields that the events are expected to have in common | array of fields | - |
| use-document-marker | If specified we use end-of-document markers instead of the timeout | bool | false |
| combined-output | If specified combine collected events into a single event | bool | false |
| timeout | Signature of timeout event | duration | - |
| time-field | Use the following field for timestamp recognition, needed for timeout | field | - |
condition
Only run this action if the condition the specified condition is met
Type: expression
group-by
The field to use to group transactions
Type: field
Example
input:
{"first":"John","last":"Doe"}
{"first":"Jane","last":"Doe"}
action:
transaction:
group-by: last
marker:
- marker
output:
{"_marker":"marker","complete":true,"duration":0,"recs":[{"first":"John","last":"Doe"},{"first":"Jane","last":"Doe"}]}
start-end
Determine which events begin and which ones end the transaction
Start and end both give the field name and a pattern the value must match
Type: StartEnd
Example
input:
{"first":"Jane","last":"Doe"}
{"first":"John","last":"Doe"}
{"first":"Jane","last":"Doe"}
{"first":"John","last":"Doe"}
action:
transaction:
start-end:
start:
- first
- Jane
end:
- first
- John
marker:
- marker
output:
{"_marker":"marker","complete":true,"duration":0,"recs":[{"first":"Jane","last":"Doe"},{"first":"John","last":"Doe"}]}
{"_marker":"marker","complete":true,"duration":0,"recs":[{"first":"Jane","last":"Doe"},{"first":"John","last":"Doe"}]}
| Field Name | Description | Type | Default |
|---|---|---|---|
| start | Key-value to determine the first event of a transaction | array of (field,regex) pairs | - |
| end | Key-value to determine the first event of a transaction | array of (field,regex) pairs | - |
start
Key-value to determine the first event of a transaction
Type: array of (field,regex) pairs
end
Key-value to determine the first event of a transaction
Type: array of (field,regex) pairs
marker
Field value to mark the new event
If it has one element, then the marker is '_marker' and this is the value if it has two elements, then the first is the name of the marker field and the second is the value
Note: This is unusually deranged
Type: array of strings
common-fields
Array of fields that the events are expected to have in common
Type: array of fields
use-document-marker
If specified we use end-of-document markers instead of the timeout
Type: bool
combined-output
If specified combine collected events into a single event
Type: bool
timeout
Signature of timeout event
This can directly be a timeout value like '300ms' or the special word 'document', (in which case we use the end-of-document markers created by scheduled inputs and the files input.) In this case, 'stalled' is implicitly invoked.
Type: duration
time-field
Use the following field for timestamp recognition, needed for timeout
Type: field