nano SIEM
Search Commands

transaction

transaction

Group related events into transactions based on common field values and time constraints.

Description

The transaction command groups events that share common field values and occur within specified time or event constraints. This creates transaction records that span multiple events, useful for session analysis, workflow tracking, and multi-stage attack detection.

Syntax

... | transaction <field> [, <field> ...] [startswith=<expr>] [endswith=<expr>] [maxspan=<duration>] [maxevents=<int>]

Required Arguments

field
One or more fields to group by. Events with matching values are grouped together.

Optional Arguments

startswith
Syntax: startswith=<search_expr>
Description: Expression that marks the start of a transaction

endswith
Syntax: endswith=<search_expr>
Description: Expression that marks the end of a transaction

maxspan
Syntax: maxspan=<duration>
Description: Maximum time between first and last event in transaction

maxevents
Syntax: maxevents=<int>
Description: Maximum number of events in a transaction

Examples

Group by session ID

* | transaction session_id maxspan=30m

User sessions

* | transaction user maxspan=1h maxevents=100

Login to logout

* | transaction user startswith=(action="login") endswith=(action="logout") maxspan=8h

Multi-stage attack

* | transaction src_ip 
    startswith=(action="reconnaissance") 
    endswith=(action="data_exfiltration") 
    maxspan=24h

API request flows

* | transaction request_id maxspan=5m
  | where duration > 1000

Connection sessions

* | transaction src_ip, dest_ip, dest_port maxspan=10m

Failed then successful login

action=login
| transaction user 
    startswith=(status="failure") 
    endswith=(status="success") 
    maxspan=15m

Process lifecycle

* | transaction process_id
    startswith=(action="process_create")
    endswith=(action="process_terminate")
    maxspan=1h

Detect port scans

* | transaction src_ip maxspan=1m | where eventcount > 100 | eval scan_type = if(eventcount > 200, "port_scan", "flood") | table src_ip, scan_type, eventcount, duration

Usage Notes

Duration field: Transactions automatically include a duration field (time between first and last event).

Event count: Transactions include eventcount field.

Performance: Can be memory-intensive with high cardinality fields or long time spans.

Order: Events are grouped chronologically within transactions.

top

Previous Page

tree

Next Page

Edit this page on GitHub
On this page

On this page

transaction
Description
Syntax
Required Arguments
Optional Arguments
Examples
Group by session ID
User sessions
Login to logout
Multi-stage attack
API request flows
Connection sessions
Failed then successful login
Process lifecycle
Detect port scans
Usage Notes
Related Commands