Hi at all,
I have to separate the results of a transaction to separately show each event.
I'd like to do this because I have to aggregate events into a transaction to verify some rules (eventcount), but after, I'd like to separately show events.
How can I do this?
thank you.
Bye.
Giuseppe
Try this:
tag=SM
| transaction sourcetype Application maxspan=300s mvraw=true
| eval myRaw = _raw
| mvexpand myRaw
| rename myRaw as _raw
Don't use transaction
in the first place.
Try this:
tag=SM
| transaction sourcetype Application maxspan=300s mvraw=true
| eval myRaw = _raw
| mvexpand myRaw
| rename myRaw as _raw
What is the query that you're using to generate the results?
It's a very simple search:
tag=SM | transaction sourcetype Application maxspan=300s