TRIX is a new events correlation function (the “new generation” of the previous transaction function) that builds complex events correlated by different keys and display results in new dedicated screens.
A complex event (CE) is an event that consists of one or more events.
These events have a connection between them based on a several pre-defined rules so they are connected using fields that should represent a unique (enough) key.
Main result of correlated events to CEP (complex events / transactions):
Zoom in to a specific flow:
The general syntax of a TRIX search is as follows:
search query | trix trix.uniqueIds.fields = ([column1])... search query | trix trix.uniqueIds.fields = ([column1],[column2])...
where,
search query a simple search.
trix.uniqueIds.fields unique and strong column name must be present in the complex event (CE). It can open a CE, it can connect to another CE, and it will pull CE that only has weak keys - mandatory
optional parameters:
trix.uniqueSubIds.fields uniqueSubId column name is not mandatory in the complex event (CE). It can open a CE, it can be added to another CE that has a uniqueId key, it can not connect two uniqueId CEs, uniqueSubId should not close an event.
name = [column] the name of each trix transaction will be extracted from the chosen column.
groups = [column1,column2,column3] each transaction will be associated to a group.
type = [column] each transaction will be associated to a type.
startRule = [search query] a filter query to denote a start condition, such as: startRule = (action = login or operator = login)
endRule = [search query] a filter query to denote an end condition, such as: endRule = (action = logout or operator = logout)