link
Use link command to group log records into high level business transactions. This command returns the link by fields along with the following details:
Topics:
These are some of the limits associated with the link command:
- The maximum number of groups returned by the query search or query
export using console, CLI, or SDK is 500 when the query contains a
linkcommand.However up to 1 million groups can be processed in a link query execution and the data can be clustered and visualized using
classifycommand - Maximum number of fields that can be included in the link command is 4. If time is one of the fields, then the maximum limit is 5.
Syntax
link [<link_options>] <fieldName> [, <fieldName>), ...]where link_options can be expanded as [includenulls = [true|false]] [includetrends = [true|false]] [span = <span>].
Parameters
The following table lists the parameters used in this command, along with their descriptions.
| Parameter | Description |
|---|---|
|
|
Indicates if the results should include log records where the link by fields are null. The default value is |
|
|
Indicates if the results should include trend data. The default value is |
|
|
Sets the length of time to be used for the result histogram. Syntax:
|
Fields Generated by link for Each Group
The link command produces one row per group. A group is the unique
combination of the input keys. For example:
link 'Host Name (Server)'produces one row for each host name. In this case, a group is a unique host name.link 'Host Name (Server)', 'User Name'produces one row for each unique combination of the host name and the user name. In this case, a group is a unique host name and user name combination.
The following fields are automatically produced for each group:
| Field | Description |
|---|---|
| Collection | The name of the collection where data is persisted. Used with the
linkdetails command
|
| ID | Group ID that is unique within the collection |
| Count | Number of log records within a group. In this UI, you can click
this field to view the log records. You can also use
Shift-Click to select one or more rows in the UI to view
all those log records or cluster the log records, by using the
following options respectively:
|
| Start Time | Earliest timestamp of log records within a group |
| End Time | Latest timestamp of log records within a group |
| Group Duration | Time duration of log records within a group. This field is hidden by default in the UI. You can show this field clicking Options, and selecting Hide/Show Columns option. |
In addition, the following fields are also produced for all the groups. They are also hidden by default in the UI, and can be shown by clicking Options, and selecting Hide/Show Columns:
| Field | Description |
|---|---|
| Query Start Time | Start Time of the query as selected using the time selector. If you override the time by specifying an explicit time range in the query, then that is used. |
| Query End Time | End Time of the query as selected using the time selector. If you override the time by specifying an explicit time range in the query, then that is used. |
| Trend Interval | The interval specified in the span parameter to
the link command. This is the interval used for
timestats and other charts. If no
span was specified, a default is used.
|
| Trend Interval Unit | The unit for the interval specified in the span
parameter to the link command.
|
For examples of using this command in typical scenarios, see:
The following command groups all the fatal logs by transaction:
severity = fatal | link 'Transaction ID'The following command groups all the fatal logs by transaction, and gets the average elapsed time of log records within each group:
severity = fatal | link 'Transaction ID' | stats avg('Elapsed Time (System)') as 'Average Elapsed Time'