Here's an alternative method using rex.
For testing purposes let's associate events from metrics.log in clumps of 4 with :
index=_internal source=*metrics.log | transaction maxevents=4 source
This yields transaction meta-events that look like this :
12-29-2011 08:51:52.940 -0800 INFO Metrics - group=queue, name=tcpin_queue, max_size_kb=500, current_size_kb=0, current_size=0, largest_size=0, smallest_size=0
12-29-2011 08:51:52.940 -0800 INFO Metrics - group=queue, name=typingqueue, max_size_kb=500, current_size_kb=0, current_size=0, largest_size=58, smallest_size=0
12-29-2011 08:51:52.940 -0800 INFO Metrics - group=realtime_search_data, system total, drop_count=0
12-29-2011 08:51:52.940 -0800 INFO Metrics - group=search_concurrency, system total, active_hist_searches=0, active_realtime_searches=0
To get the original _raw field back (and therefore, display the original events) I use rex with a "delimiter" regex matching the date at the beginning of my event, and then all characters until a CLRF. This creates one multi-value field per transaction containing the pre-transaction values of _raw, which we can then expand back to a single-value field with mvexpand:
index=_internal source=*metrics.log | transaction maxevents=4 source | eval transaction_raw=_raw | rex max_match=1000 "(?msi)^(?[01]\d-[0-3]\d-2011\s[^\r\n]*?)$" | mvexpand raw | eval _raw=raw
Remarks :
- For the delimiter regex to work, you need to specify
max_match with a value equal to or higher than the maximum number of events you expect in your transaction.
- The regex will need to be reworked if your original events span multiple lines.
- A transition field (here
raw) is necessary. You cannot restore _raw directly unto itself.
- We conserved the transaction's own
_raw in transaction_raw which allows to still report on the transaction results. The transaction special fields are also conserved.
