Hello,
I've been experimenting with queries that makes use of the transaction command but overrides the _time field. So given the following sample data:
2011-02-01T12:00:00.000-0800 SID=1 (1,2011-01-01T12:00:00.001-0800)
2011-02-01T12:00:00.001-0800 SID=1 (3,2011-01-01T12:00:00.003-0800)
2011-02-01T12:00:00.002-0800 SID=1 (2,2011-01-01T12:00:00.002-0800)
2011-02-01T12:00:00.003-0800 SID=1 (4,2011-01-01T12:00:00.004-0800)
2011-02-01T12:00:00.004-0800 SID=1 (6,2011-01-01T12:00:00.006-0800)
2011-02-01T12:00:00.005-0800 SID=1 (5,2011-01-01T12:00:00.005-0800)
The body of the events contain data in the following format:
(actionId, timestamp)
A given transaction should flow from actionId 1 to 6 with the timestamp in the body and not the timestamp of the event.
So a query would go like:
... (data extracted into fields actionId and actionTimeStamp with actionTimeStamp in epoch time format) | eval _time=actionTimeStamp | sort 0 -_time | transaction SID startswith=(actionId="1") endswith=(actionId="6")
When I compare this to the following slightly different query:
... (data extracted into fields actionId and actionTimeStamp with actionTimeStamp in epoch time format) | eval _time=actionTimeStamp | sort 0 -actionTimeStamp | transaction SID startswith=(actionId="1") endswith=(actionId="6")
I get a different number of transactions. It seems like the first query loses some data when compared to the second. The only thing I can think of is that transaction, for whatever reason, doesn't like it when I override the value of _time and then sort it.
Other possibly related notes is that when I do the "eval _time=actionTimeStamp" but don't do the sort the query never returns for me.
So my question is if I'm going about the query the right way when I need to do a transaction on a timestamp in the body of the event rather than the original timestamp of the event.
... View more