Configure Transaction Handling on a DecoderConfigure Transaction Handling on a Decoder
Administrators can configure a Decoder to subdivide incoming sessions into smaller transaction sessions when using Lua parsers designed to create transactions. The feature allows analysts to perform analytics on the split sessions in downstream services such as Investigate.
Caution: Use caution when enabling this feature when you are above the standard ingest rate supported by the Network Decoder as it may start to cause backups with aggregation and dropped packets.
Transaction Handling
The Decoder service configuration node has a new parameter for configuration of transaction handling: /decoder/parsers/config/parser.transaction.mode. This node controls the behavior of the Decoder when a parser defines a transaction within a network session.
The values for parser.transaction.mode correspond to the operating modes:
- off (transactions off)
- meta (transactions represented as meta items)
- split (transactions split sessions)
Transactions OffTransactions Off
When transactions mode is off, any application-level transactions created by parsers are ignored, and nothing is stored in the collection to represent the transaction.
Transactions Represented as Meta ItemsTransactions Represented as Meta Items
In this mode of operation, when a parser generates an application-level transaction, a new meta item of type {{trans}} is added to the session in which the transaction occurred. The {{trans}} meta item contains a list of other meta items that constitute the transaction.
Transactions Split SessionsTransactions Split Sessions
In this mode of operation, when a parser generates an application-level transaction, the session is split. The session splitting is accomplished by:
- A new session item is created.
- Network meta items are copied from the parsed session into the new session.
- Meta items marked in the transaction are moved from the original session to the new session.
The following meta items are duplicated into the split session from the session that was parsed:
- time
- medium
- eth.src
- eth.dst
- eth.type
- ip.proto
- ip.src
- ip.dst
- ipv6.src
- ipv6.dst
- ip.proto
- port.src
- port.dst
- tcp.flags
- udp.srcport
- udp.dstport
- service
- udp.srcport
- udp.srcport
- tls.premaster