Forum Discussion
Capturing a single transaction in KQL
Hi, I've got a log coming in which has a transaction ID in it and I'd like to gather the logs into a single event based on the ID. Unfortunately these ID are recycled after a short while, probabl...
Hi andersbe, thanks for your reply,
That is essentially what I have done with binning them in 15 minute buckets. The syslog messages all have different timestamps so by using bin(TimeGenerated,15m) it is collating them by bin then TRDIN. Unfortunately sometime the first event is at, say 15:57 and the last one is at 16:02 and so the whole transaction gets split across two bins.
What I would really like is the Splunk "transaction" feature which had a "maxspan" parameter that allows you to specify the maximum timespan between the first event and the last event.
That is essentially what I have done with binning them in 15 minute buckets. The syslog messages all have different timestamps so by using bin(TimeGenerated,15m) it is collating them by bin then TRDIN. Unfortunately sometime the first event is at, say 15:57 and the last one is at 16:02 and so the whole transaction gets split across two bins.
What I would really like is the Splunk "transaction" feature which had a "maxspan" parameter that allows you to specify the maximum timespan between the first event and the last event.
The 15 minutes bucket you use today, is that just a way to group all events for a event together?
Is it possible to look at the events instead to find "start event" and look between each "start event" instead?
Is it possible to look at the events instead to find "start event" and look between each "start event" instead?
- The 15 minute bucket is a way of constraining the time period during which a group of events can be grouped.