Page Comparison

...

Basic Trix Queries

Query	Explanation
* in log.audit \| trix trix.uniqueIds.fields = (user)	user column as a unique key - mandatory
* in log.audit \| trix trix.uniqueIds.fields = (user) trix.uniqueSubIds.fields = (pid)	pid column as an optional unique key
* in log.audit \| trix trix.uniqueIds.fields = (user) trix.uniqueSubIds.fields = (pid) cep.name=(session id)	The name for each complex event will be determined by the session id value
* in log.audit \| trix trix.uniqueIds.fields = (user) trix.uniqueSubIds.fields = (pid) cep.name=(session id) cep.groups=(session id)	groups list will be determined by the session id values
* in log.audit \| trix trix.uniqueIds.fields = (user) trix.uniqueSubIds.fields = (pid) cep.name=(session id) cep.groups=(session id) type=(thread)	types list will be determined by the thread values

Data-filtered Trix Queries

Query	Explanation
* in log.audit \| trix trix.uniqueIds.fields = (user) cepNode.maxEventLimit=3	Max number of events for each complex event
* in log.audit \| trix trix.uniqueIds.fields = (user) startRule = (Event Description contains session has started) endRule = (Event Description contains was terminated)	Start and End conditions. To filter only the ceps which stand by the start and end conditions, add the following: \| where hasstartevent = true and hasendevent = true
* in log.audit \| trix trix.uniqueIds.fields = (user) cepNode.timeframe.limit = (5 seconds)	The complex event will be closed after limit-Time has expired
* in log.audit \| trix trix.uniqueIds.fields = (user) cepNode.event.timeframe.limitFromStart = (10 minutes)	Only events which are less than limitTimeFromStart from the first event will be added to the transaction.

Complex Trix Queries

Advanced usage of the Trix function, using multiple limitations:

...

Extra Fields

Explanation

enrichments.pid.first = (pid)

enrichments.pid.all = (context)

enrichments.<name>.<type> - allows adding additional columns to the meta of the cep.

name - the name of the output column to use.

type - the type of the extraction, currently can be ‘first’ (extracts the first value it encounters) or ‘all’ (extracts all values) - optional

Code Block

* IN log.audit | trix trix.uniqueIds.fields = (user) trix.uniqueSubIds.fields =(pid) startRule = (Event Description contains User logged) endRule = (Event Description contains terminated) cepNode.maxEventLimit = 50 cepNode.timeframe.limit = (5 minutes) cep.name = (user) cep.groups = (type) cep.type = (category) enrichments.pid.all = (pid) enrichments.context.all = (context) | count | group by cep.pid, cep.context

...

Versions Compared

Old Version 7

New Version 8

Key

Basic Trix Queries

Data-filtered Trix Queries

Complex Trix Queries

Page Comparison

Versions Compared

Old Version 7

New Version 8

Key

<span class="diff-html-changed" data-a11y-before="Start of changed content" data-a11y-after="End of changed content" id="changed-diff-0">[data-colorid=</span>

<span class="diff-html-added" data-a11y-before="Start of added content" data-a11y-after="End of added content" id="added-diff-2">x6s1x0koy4</span><span class="diff-html-changed" data-a11y-before="Start of changed content" data-a11y-after="End of changed content" id="changed-diff-3">]{color:</span>

<span class="diff-html-added" data-a11y-before="Start of added content" data-a11y-after="End of added content" id="added-diff-4">x6s1x0koy4</span><span class="diff-html-changed" data-a11y-before="Start of changed content" data-a11y-after="End of changed content" id="changed-diff-5">]{color:</span>

Data-filtered Trix Queries

Complex Trix Queries