The general syntax of a TRIX search is as follows:
...
trix.uniqueIds.fields unique and strong column name must be present in the complex event (CE). It can open a CE, it can connect to another CE, and it will pull CE that only has weak keys - mandatory
optional parameters:
trix.uniqueSubIds.fields uniqueSubId column name is not mandatory in the complex event (CE). It can open a CE, it can be added to another CE that has a uniqueId key, it can not connect two uniqueId CEs, uniqueSubId should not close an event.
...
cepNode.event.timeframe.limitFromStart a CE should not add events that are more than limitTimeFromStart from the first event.
The TRIX function also returns the following additional values:
cep.id - The index of the node.cep.starttime - Start time of the complex event.cep.endtime - End time of the complex event.cep.eventscount - Total amount of events.
cep.time - The duration of the cep.cep.startEvent - True if the cep has an event that is a start event.cep.endEvent - True if the cep has an event that is an end event.cep.key- Complex event key.cep.name- The value of the name column for the complex event.cep.groups- List of groups (if defined in query).cep.groups.count - Number of groups.cep.type - The value of the types for the complex event.cep.logIds - List of log ids.cep.hosts - List of all the hosts.
cep.<name> - Extract custom enrichments from the cep where ‘name’ is the name of the custom enrichment.
cep.fullstate- OPEN/CLOSE/TIME CLOSE/VOLUME CLOSE/CLOSE PARTIAL/UNKNOWN.