|
Using the transaction command, I want to group a number of events to obviously make up a transaction but each contains the same field value for example, Field=334334 all events with this field number should be grouped into one trnasaction but with 2 other startswith and endswith events added to it, how can this be done? |
One Answer:
|
I think it sounds like you want to transaction a set of events based on startswith and endswith, and also run a separate transaction based on a Field value and then append them like this; I am making a few assumptions as said above, also I am assuming that they might be different datasources as otherwise you may end up with duplicate results (that you could filter with a | dedup) |
Could you provide a sample of the log? I'd guess from the fact that you are asking that events from these transactions are can overlap each other, i.e;
Start A Event A Start B Event A Event B Event A End A Event B End B
However, the field 334334 is not present in the start/end events, right?
/k