I'm trying to define a transaction within a search in the Web UI. It works fine provided I only supply one field. However, if I use more than one field, seperated by commas, I get "The fields option is invalid when a list of fields is provided in the argument list."
The docs clearly state that the fields argument should be a comma delimited list of fields.
Any ideas?
The field list in a transaction command does not require an identifier.
It may be any field listed that is not part of an accepted parameter.
For example:
source=*.log |transaction maxspan=10s maxpause=2 UserID src_ip
OR
source=*.log |transaction UserID src_ip maxspan=10s maxpause=2
If you choose to use an identifier, I have found (as have you) that one field works well - but two produces an error. You may quote the field list to remove that error, like this:
source=*.log |transaction maxspan=10s maxpause=2 fields="UserID,src_ip"
The field list in a transaction command does not require an identifier.
It may be any field listed that is not part of an accepted parameter.
For example:
source=*.log |transaction maxspan=10s maxpause=2 UserID src_ip
OR
source=*.log |transaction UserID src_ip maxspan=10s maxpause=2
If you choose to use an identifier, I have found (as have you) that one field works well - but two produces an error. You may quote the field list to remove that error, like this:
source=*.log |transaction maxspan=10s maxpause=2 fields="UserID,src_ip"
I also get this... After the query tries to run...
Error in 'transaction': The fields option is invalid when a list of fields is provided in the argument list.
Seems contradictory, yet I'm sure it's just my lack of the proper usage.
source=*.log |transaction maxspan=10s maxpause=2 fields=UserID, src_ip
This fails with the error, but if I only use UserID, it works fine.
Timmy, can you provide your search?