So when I initially composed this post it was to more readily see how the Transaction order functions. Since, up to this point, I’d principally adhered to details and eval for a great deal of my reports and alarms. However, subsequent to utilizing Transaction i’ve begun going, “Hold up! This is extraordinarily helpful.” So on top of attempting to improve comprehension of how Transaction functions, I figured I’d share what it was I knew.
Since I understand I don’t see ‘how’ exchange deals with any profound and significant level. No, I’m not going to take Transaction out on the town; yet I’d prefer to become more acquainted with it and realize what really matters to it. So when something like this comes up:
sourcetype=”cisco:firewall” index=firewall (event_id=”tunnel-up” OR event_id=”tunnel-down”)
| exchange device_name startswith=tunnel-down endswith=tunnel-up
sourcetype=”cisco:firewall” index=firewall (event_id=”tunnel-up” OR event_id=”tunnel-down”)
| exchange device_name startswith=tunnel-up endswith=tunnel-down
I completely comprehend the rationale and the dynamic behind it.
To begin – I comprehend that Transaction will bunch sets of information dependent on the standards you determine. In any case, on the off chance that I see what I’ve composed up over my first inquiry is, “Hold up! For what reason doesn’t exchange get every one of the occasions and placed them into 1 long receipt?”
I get that on the off chance that I type just: ‘exchange device_name’ this is the thing that will occur – 1 long receipt with each exchange on it. However, to make an already difficult situation even worse when I type this: ‘exchange device_name startswith=tunnel-down endswith=tunnel-up’ it simply functions true to form.
Exchanges seems to take a gander at the rundown of occasions and say ‘these occasions have a place together dependent on that 1 pursuit’. Furthermore, you know what – it was correct. Those occasions had a place together. I physically checked the pre and post exchange order. However, I never told Transaction, “Hello amigo. See these rundown of documents, in light of this 1 line I like them assembled as such.”
But by one way or another Transaction pivoted and said, “Gracious! Alright, here you go.” So my subsequent inquiry is, “How did exchange just ‘know’ to gather like occasions together?”
Since, even with the right choices and limitations, I can undoubtedly see a situation where exchange says, “Hello I took the Columbus Ohio firewall logs and gathered every one of the occasions into 1 long receipt. Coordinated by burrow up and burrow down”.
Rather than saying, “Hello I broke these occasions into numerous receipts showing when the passage went down and when it returned up once more. Also, each receipt is coordinated by timestamp. With this, you ought to have the data to compose that report you needed.”
So possibly I’m simply that acceptable at composing exchange orders. Or then again i’m not sure how this order functions by any means. I’m inclining towards the last mentioned.
source: