Log Insight should facilitate understanding transactional flows, where a group of log messages tell a story together. The transaction identifier should be definable in content packs and by users, similar to an extracted field.
- vCenter, vpxa and hostd tasks are identified by an opID, relating task Start, Finish and subtasks within.
- ESXi vMotion tasks are identified by an MigID, relating Source and Destination world operations and network connections.
- ESXi SSH and Shell logins are associated to a shell command by PID, useful for security audits.
It should be possible to perform searches regarding two different log events related by a transaction identifier.
It should be possible to perform searches regarding attributes of the transaction construct itself, such as its Duration.
Transaction identifiers may be reused by some system (e.g., PID) so a this feature should include a time threshold for what is considered within the same transaction.
Subqueries or joins would enable doing some of this manually.