The general syntax of a TRIX search is as follows:
search query | trix trix.uniqueIds.fields = ([column1])... search query | trix trix.uniqueIds.fields = ([column1],[column2])...
where,
search query
a simple search.
trix.uniqueIds.fields
unique and strong column name must be present in the complex event (CE). It can open a CE, it can connect to another CE, and it will pull CE that only has weak keys - mandatory
optional parameters:
trix.uniqueSubIds.fields
uniqueSubId column name is not mandatory in the complex event (CE). It can open a CE, it can be added to another CE that has a uniqueId key, it can not connect two uniqueId CEs, uniqueSubId should not close an event.
cep.name
the name of each trix transaction will be extracted from the chosen column.
cep.groups
each transaction will be associated to a group.
cep.type
each transaction will be associated to a type.
startRule
a filter query to denote a start condition, such as: startRule = (action = login OR operator = login)
endRule
a filter query to denote an end condition, such as: endRule = (action = logout OR operator = logout)
cepNode.maxEventLimit
max number of events per CE.
cepNode.timeframe.limit
a CE should be closed after limitTime has expired.
cepNode.event.timeframe.limitFromStart
a CE should not add events that are more than limitTimeFromStart from the first event.
The TRIX function also returns the following additional values:
cep.id
- The index of the node.cep.starttime
- Start time of the complex event.cep.endtime
- End time of the complex event.cep.eventscount
- Total amount of events.
cep.time
- The duration of the cep.cep.startEvent
- True if the cep has an event that is a start event.cep.endEvent
- True if the cep has an event that is an end event.cep.key
- Complex event key.cep.name
- The value of the name column for the complex event.cep.groups
- List of groups (if defined in query).cep.groups.count
- Number of groups.cep.type
- The value of the types for the complex event.cep.logIds
- List of log ids.cep.hosts
- List of all the hosts.
cep.<name>
- Extract custom enrichments from the cep where ‘name’ is the name of the custom enrichment.
cep.fullstate
- OPEN/CLOSE/TIME CLOSE/VOLUME CLOSE/CLOSE PARTIAL/UNKNOWN.