Forum Discussion
Capturing a single transaction in KQL
Hi,
I've got a log coming in which has a transaction ID in it and I'd like to gather the logs into a single event based on the ID. Unfortunately these ID are recycled after a short while, probably within the same day. I was using the make_set aggregation function and trying to tune the maxsize parameter, but there is no single value I can give this which gives me perfect results. I have ended up with the query below, which is almost perfect, but if the transaction crosses the time bin I have specified then it gets split in two. Is there a better way to do this?
Syslog
| where Facility =~ "mail"
, TRNID = extract("TRNID (\\d+)",1,SyslogMessage)
| project TimeGenerated, TRNID, SyslogMessage
| summarize events=make_set(SyslogMessage,150) by TRNID,bin(TimeGenerated,15m)
4 Replies
- Hi,
Would it help to include TimeGenerated as a filter to show the specific transaction ID for the day it was generated? You menation the ID might be reused within one day, but TimeGenerated and ID combination should be unuqie.- Hi andersbe, thanks for your reply,
That is essentially what I have done with binning them in 15 minute buckets. The syslog messages all have different timestamps so by using bin(TimeGenerated,15m) it is collating them by bin then TRDIN. Unfortunately sometime the first event is at, say 15:57 and the last one is at 16:02 and so the whole transaction gets split across two bins.
What I would really like is the Splunk "transaction" feature which had a "maxspan" parameter that allows you to specify the maximum timespan between the first event and the last event.- The 15 minutes bucket you use today, is that just a way to group all events for a event together?
Is it possible to look at the events instead to find "start event" and look between each "start event" instead?
