Skip to main content
Version: 3.5.0

Action: transaction

Collects events together based on some condition to make a single new event

Field Summary

Field NameTypeDescriptionDefault
conditionexpressionOnly run this action if the condition the specified condition is met-
group-byfieldThe field to use to group transactions-
start-endStartEndDetermine which events begin and which ones end the transaction-
markerarray of stringsField value to mark the new event-
common-fieldsarray of fieldsArray of fields that the events are expected to have in common-
use-document-markerboolIf specified we use end-of-document markers instead of the timeoutfalse
combined-outputboolIf specified combine collected events into a single eventfalse
combined-payloadboolIf specified combine collected events into a single event and concatenate payloads (if specified will set combined_output to true)false
timeoutdurationSignature of timeout event-
time-fieldfieldUse the following field for timestamp recognition, needed for timeout-

Fields

condition

Type: expression

Only run this action if the condition the specified condition is met

group-by

Type: field

The field to use to group transactions

Example

Input:

{"first":"John","last":"Doe"}
{"first":"Jane","last":"Doe"}

Pipe Language Snippet:

transaction:
group-by: last
marker:
- marker

Output:

{"_marker":"marker","complete":true,"duration":0,"recs":[{"first":"John","last":"Doe"},{"first":"Jane","last":"Doe"}]}

start-end

Type: StartEnd

Determine which events begin and which ones end the transaction

Start and end both give the field name and a pattern the value must match

Example

Input:

{"first":"Jane","last":"Doe"}
{"first":"John","last":"Doe"}
{"first":"Jane","last":"Doe"}
{"first":"John","last":"Doe"}

Pipe Language Snippet:

transaction:
start-end:
start:
- first
- Jane
end:
- first
- John
marker:
- marker

Output:

{"_marker":"marker","complete":true,"duration":0,"recs":[{"first":"Jane","last":"Doe"},{"first":"John","last":"Doe"}]}
{"_marker":"marker","complete":true,"duration":0,"recs":[{"first":"Jane","last":"Doe"},{"first":"John","last":"Doe"}]}

Field NameTypeDescriptionDefault
startarray of (field,regex) pairsKey-value to determine the first event of a transaction-
endarray of (field,regex) pairsKey-value to determine the first event of a transaction-

  start

Type: array of (field,regex) pairs

Key-value to determine the first event of a transaction

  end

Type: array of (field,regex) pairs

Key-value to determine the first event of a transaction

marker

Type: array of strings

Field value to mark the new event

If it has one element, then the marker is '_marker' and this is the value if it has two elements, then the first is the name of the marker field and the second is the value

common-fields

Type: array of fields

Array of fields that the events are expected to have in common

use-document-marker

Type: bool

Default: false

If specified we use end-of-document markers instead of the timeout

combined-output

Type: bool

Default: false

If specified combine collected events into a single event

combined-payload

Type: bool

Default: false

If specified combine collected events into a single event and concatenate payloads (if specified will set combined_output to true)

timeout

Type: duration

Signature of timeout event

This can directly be a timeout value like '300ms' or the special word 'document', (in which case we use the end-of-document markers created by scheduled inputs and the files input.) In this case, 'stalled' is implicitly invoked.

time-field

Type: field

Use the following field for timestamp recognition, needed for timeout