Action: transaction
Collects events together based on some condition to make a single new event
Field Summary
| Field Name | Type | Description | Default |
|---|---|---|---|
| condition | expression | Only run this action if the condition the specified condition is met | - |
| group-by | field | The field to use to group transactions | - |
| start-end | StartEnd | Determine which events begin and which ones end the transaction | - |
| marker | array of strings | Field value to mark the new event | - |
| common-fields | array of fields | Array of fields that the events are expected to have in common | - |
| use-document-marker | bool | If specified we use end-of-document markers instead of the timeout | false |
| combined-output | bool | If specified combine collected events into a single event | false |
| combined-payload | bool | If specified combine collected events into a single event and concatenate payloads (if specified will set combined_output to true) | false |
| timeout | duration | Signature of timeout event | - |
| time-field | field | Use the following field for timestamp recognition, needed for timeout | - |
Fields
condition
Type: expression
Only run this action if the condition the specified condition is met
group-by
Type: field
The field to use to group transactions
Example
Input:
{"first":"John","last":"Doe"}
{"first":"Jane","last":"Doe"}
Pipe Language Snippet:
transaction:
group-by: last
marker:
- marker
Output:
{"_marker":"marker","complete":true,"duration":0,"recs":[{"first":"John","last":"Doe"},{"first":"Jane","last":"Doe"}]}
start-end
Type: StartEnd
Determine which events begin and which ones end the transaction
Start and end both give the field name and a pattern the value must match
Example
Input:
{"first":"Jane","last":"Doe"}
{"first":"John","last":"Doe"}
{"first":"Jane","last":"Doe"}
{"first":"John","last":"Doe"}
Pipe Language Snippet:
transaction:
start-end:
start:
- first
- Jane
end:
- first
- John
marker:
- marker
Output:
{"_marker":"marker","complete":true,"duration":0,"recs":[{"first":"Jane","last":"Doe"},{"first":"John","last":"Doe"}]}
{"_marker":"marker","complete":true,"duration":0,"recs":[{"first":"Jane","last":"Doe"},{"first":"John","last":"Doe"}]}
| Field Name | Type | Description | Default |
|---|---|---|---|
| start | array of (field,regex) pairs | Key-value to determine the first event of a transaction | - |
| end | array of (field,regex) pairs | Key-value to determine the first event of a transaction | - |
start
Type: array of (field,regex) pairs
Key-value to determine the first event of a transaction
end
Type: array of (field,regex) pairs
Key-value to determine the first event of a transaction
marker
Type: array of strings
Field value to mark the new event
If it has one element, then the marker is '_marker' and this is the value if it has two elements, then the first is the name of the marker field and the second is the value
common-fields
Type: array of fields
Array of fields that the events are expected to have in common
use-document-marker
Type: bool
Default: false
If specified we use end-of-document markers instead of the timeout
combined-output
Type: bool
Default: false
If specified combine collected events into a single event
combined-payload
Type: bool
Default: false
If specified combine collected events into a single event and concatenate payloads (if specified will set combined_output to true)
timeout
Type: duration
Signature of timeout event
This can directly be a timeout value like '300ms' or the special word 'document', (in which case we use the end-of-document markers created by scheduled inputs and the files input.) In this case, 'stalled' is implicitly invoked.
time-field
Type: field
Use the following field for timestamp recognition, needed for timeout