A TRIX search is used to perform advanced correlations of events from one or more logs. The correlation is done by connecting multiple log events that share one or more keys into a CEP (Complex Event).
TRIX then allows to run analysis, statistics, anomalies and monitoring on the CEP level (the correlated log events).
...
trix.uniqueIds.fields unique and strong column name must be present in the complex event (CE). It can open a CE, it can connect to another CE, and it will pull CE that only has weak keys - mandatory
optional parameters:
trix.uniqueSubIds.fields uniqueSubId column name is not mandatory in the complex event (CE). It can open a CE, it can be added to another CE that has a uniqueId key, it can not connect two uniqueId CEs, uniqueSubId should not close an event.
...
cepNode.event.timeframe.limitFromStart a CE should not add events that are more than limitTimeFromStart from the first event.
enrichments.<name>.<type> - allows adding additional columns to the meta of the cep. name - the name of the output column to use - can be any name type - the type of the extraction, currently can be ‘first’ (extracts the first value it encounters in the CE) or ‘all’ (extracts all values), default is all.
The TRIX function also returns the following additional values:
...