transaction
Group related events into transactions based on common field values and time proximity.
Syntax
| transaction <field> [maxspan=<time>] [maxpause=<time>]
Arguments
| Argument | Default | Description |
|---|---|---|
field | Required | Field to group events by |
maxspan | none | Maximum duration of a transaction |
maxpause | none | Maximum gap between events in a transaction |
Examples
-- Group events by session ID
| transaction session_id
-- With time constraints
| transaction request_id maxspan=5m
-- With max pause between events
| transaction user_id maxpause=30s maxspan=1h
Output
Each transaction becomes a single event with:
duration-- total transaction durationeventcount-- number of events in the transaction- All fields from the grouped events