Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

A TRIX search is used to perform advanced correlations of events from one or more logs. The correlation is done by connecting multiple log events that share one or more keys into a CEP (Complex Event).
TRIX then allows to run analysis, statistics, anomalies and monitoring on the CEP level (the correlated log events).  

The general syntax of a TRIX search is as follows:

Code Block
search query | trix trix.uniqueIds.fields = ([column1])...
search query | trix trix.uniqueIds.fields = ([column1],[column2])...  OR   search query | trix trix.uniqueIds.fields = ([column1]+[column2])...

where,:

search query a simple search that determines which events will be processed by the Trix.

trix.uniqueIds.fields unique and strong column name must be present in the complex event (CE). It can open a CE, it can connect to another CE, and it will pull CE that only has weak keys - mandatory - mandatory - unique fields are the log columns which will be used as the correlation keys to connect several events into a CE (complex event). There are 2 ways to define the correlation key:

  • comma separated list of column names - the Trix will connect events based on any of the specified columns.

  • combined list of column names (connect by +) - the Trix will connect events based on all specified columns.

optional parameters:

trix.uniqueSubIds.fields uniqueSubId column name is not mandatory in the complex event (CE). It can open a CE, it can be added to another CE that has a uniqueId key, it can not connect two uniqueId CEs, uniqueSubId should not close an event.

cep.name the display name of each trix transaction CE step in the flow will be extracted from the chosen specified column.

cep.groups each transaction an additional option for display/filter of CE steps extracted from the specified column.

cep.type each CE will be associated to a groupa type.

cep.maxEventLimit max number of events per CE.

cep.timeframe.limit a CE should be closed after the specified limitTime.

cep.type each transaction will be associated to a typeevent.timeframe.limitFromStart a CE should be closed after the specified limitTimeFromStart from the first CE event.

enrichments.<name>.<type> - allows adding additional columns to the meta of the cep. name - the name of the output column to use - can be any name type - the type of the extraction, currently can be ‘first’ (extracts the first value it encounters in the CE) or ‘all’ (extracts all values).

startRule a filter query to denote a start condition, such as: startRule = (action = login OR operator = login)

endRule a filter query to denote an end condition, such as: endRule = (action = logout OR operator = logout)

cepNode.maxEventLimit max number of events per CE.

cepNode.timeframe.limit a CE should be closed after limitTime has expired.

cepNode.event.timeframe.limitFromStart a CE should not add events that are more than limitTimeFromStart from the first event.

The TRIX function also returns the following additional values:

...