Hi, I need help with transaction command results.
I have the following input to transaction command:
eventID,"_time","start_time_formated",from,to
"d5f1b6d3-e711-4768-8938-85b22e7874ee","2019-05-29T15:28:37.000+0000","05/29/19 03:28:37 PM","class-A","class-B"
"82fa4200-e608-4220-b8c7-17533a4da494","2019-05-29T19:30:55.000+0000","05/29/19 07:30:55 PM","class-B","class-A"
"96a6bf68-ceed-4ba1-82c0-215cee7465d3","2019-05-29T19:46:56.000+0000","05/29/19 07:46:56 PM","class-A","class-B"
"918adee8-5725-4dc3-8028-552be6716079","2019-05-29T22:30:43.000+0000","05/29/19 10:30:43 PM","class-B","class-A"
"4679dbe9-15d3-4a48-b0ab-6388d72d1f38","2019-05-30T06:20:27.000+0000","05/30/19 06:20:27 AM","class-A","class-B"
"70b91ce6-78fe-4f26-8c7a-bce01a273689","2019-05-30T08:45:41.000+0000","05/30/19 08:45:41 AM","class-B","class-A"
"e8ec879f-5024-4fcb-901d-da2a7ac377a7","2019-05-30T19:44:29.000+0000","05/30/19 07:44:29 PM","class-A","class-B"
"a607c492-49a5-4ee3-9862-46a583aa51c2","2019-05-30T22:00:56.000+0000","05/30/19 10:00:56 PM","class-B","class-A"
"ab1356e2-a18a-4988-9fe4-3fc7f1e1a345","2019-05-31T09:35:08.000+0000","05/31/19 09:35:08 AM","class-A","class-B"
"44318407-96cc-459b-b9b3-ece12cd13916","2019-05-31T09:35:41.000+0000","05/31/19 09:35:41 AM","class-A","class-B"
"4fb3811a-2ac2-46a3-b7c6-ea7106f21878","2019-06-01T04:16:03.000+0000","06/01/19 04:16:03 AM","class-B","class-A"
"d63558d6-c233-4ee3-adf8-66161a784c02","2019-06-03T12:02:01.000+0000","06/03/19 12:02:01 PM","class-A","class-B"
"dce54d12-0dff-4141-8908-ba854ae3255d","2019-06-03T17:02:20.000+0000","06/03/19 05:02:20 PM","class-B","class-A"
"a7c5341d-cc64-465b-a8a8-177646ae6032","2019-06-03T19:44:36.000+0000","06/03/19 07:44:36 PM","class-A","class-B"
"e4a42b0d-0851-4d0c-a88e-dd4ad14de8ab","2019-06-03T21:46:01.000+0000","06/03/19 09:46:01 PM","class-B","class-A"
"921124d4-a7a2-4322-a4cb-00012fb7d2b5","2019-06-04T12:26:03.000+0000","06/04/19 12:26:03 PM","class-A","class-B"
"e7c31f3c-0a7a-43fd-bbc9-1c22b1e6898e","2019-06-04T20:31:40.000+0000","06/04/19 08:31:40 PM","class-B","class-A"
"a1b43590-82ad-4ff6-adbf-0577fa8d734f","2019-06-04T20:53:20.000+0000","06/04/19 08:53:20 PM","class-A","class-B"
"f6335754-0b95-4cd1-8bd7-dd47aaff1de9","2019-06-05T22:00:51.000+0000","06/05/19 10:00:51 PM","class-B","class-A"
"c4b1d067-708d-4978-b49e-6a62b53a442b","2019-06-06T08:55:56.000+0000","06/06/19 08:55:56 AM","class-A","class-B"
"84970990-db0f-49c7-93bf-d8a86534585c","2019-06-06T13:00:44.000+0000","06/06/19 01:00:44 PM","class-B","class-A"
"60aeb407-f834-40cb-9e0f-7c826e773433","2019-06-06T16:13:50.000+0000","06/06/19 04:13:50 PM","class-A","class-B"
"b9cd8cc9-d806-4ca8-b9f2-5aeb73c28c44","2019-06-07T01:01:03.000+0000","06/07/19 01:01:03 AM","class-B","class-A"
See entries in bold above.
When I apply following transaction command:
(edited)
| transaction *some-field* startswith=(from="class-A") endswith=(from="class-B") unifyends=true maxevents=2
Somehow I have two transactions from rows marked above. I would expect only one as the first one is not completed.
So, I would like to ignore transaction with transaction id ab1356e2-a18a-4988-9fe4-3fc7f1e1a345.
p.s. I'm not able to use maxopentxn or maxspan
p.p.s One of the "recognized" transaction starts with ab1356e2-a18a-4988-9fe4-3fc7f1e1a345
and ends with f6335754-0b95-4cd1-8bd7-dd47aaff1de9
, which is even more confusing.
Thanks.
You are using the from field as the key for your transaction, but then you are specifying startswith and endswith which are also referencing the from field. You need to use a field that will uniquely identify each transaction. The startswith and endswith should be identifying the beginning event and ending event for that transaction.
Sorry, that was my mistake in editing (so not actually the issue). I've slightly changed the query so that it's more clear in the post 😕
Transaction command should be something like
transaction startswith=(from="class-A") endswith=(from="class-B") unifyends=true maxevents=2
And it's actually working except that it has one additional transaction generated out of event "ab1356e2-a18a-4988-9fe4-3fc7f1e1a345"
I updated the question
This version is missing the field you want to key off of.
OK , let's try this way.
Exact command is
source="cloud_trail" index=index_name
| transaction instanceIdentifier startswith=(toClass="class-A") endswith=(toClass="class-B") unifyends=true
| eval starttime=_time | eval endtime=_time+duration
| eval start_time_formated=strftime(starttime,"%x %r")
| eval end_time_formated=strftime(endtime,"%x %r")
| eval tr_duration = duration * 1000
| eval class="class-A"
| table _time instanceIdentifier class tr_duration
After visualisation it looks similar to the one attached . The problematic behaviour is surrounded in red. Whenever I have "duplicated" event it causes that transaction is not closed and then I do get graphs similar go below.
p.s. the image is not visualised in my browser , you can find it here https://drive.google.com/file/d/18m6lQRw9NfXAFYwV-IOW6QLoOrfwuvg5/view?usp=sharing