Documentation > Splunk > Admin Manual > Transaction search

Admin Manual

 


How Splunk Works
Getting Started
Data Inputs
Data Distribution
Indexing
Timestamps
Fields
Hosts
Source Types
Event Types
Transaction Types
Search
Distributed Search
Security
Data Management
Deployment Server
Performance Tuning
Configuration Files
Applications
Reference
Troubleshooting

Transaction search

This documentation does not apply to the most recent version of Splunk. Click here for the latest version.

Contents

Transaction search

Search for transactions using the transaction search command either in Splunk Web or at the CLI. The transaction command yields groupings of events which may then be used in reports. To use transaction, either call a transaction type (that you configured via transactiontypes.conf), or define transaction constraints in your search by setting the specification options of transaction.


You may add transaction to any search. For best search performance, craft your search and then pipe it to the transaction command. Here are some examples:


* [search | stats dc(source) as source_count by src_ip | search source_count > 1 | fields src_ip | head 1] | transaction fields=src_ip
* [search | stats dc(source) as source_count max(_time) as _time by src_ip | search source_count > 1 | sort -_time | fields src_ip | head 1] | transaction fields=src_ip
* [search | stats dc(source) as source_count by src_ip | search source_count > 1 | sort -source_count | fields src_ip | head 1] | transaction fields=src_ip
* [search | stats dc(source) as source_count count by src_ip | search source_count > 1 | sort -count | fields + src_ip | head 1] | transaction fields=src_ip

Transactions returned at search time consist of the raw text of each event, the shared event types, and the field values. Transactions also have additional data that is stored in the fields: duration and transactiontype. duration contains the duration of the transaction (the difference between the timestamps of the first and last events of the transaction). transactiontype is the name of the transaction (defined in transactiontypes.conf by the transaction's stanza name).


Transactions and macro search

Transactions and macro search are a powerful combination that allow substitution into your transaction searches. Make a transaction search and then save it with $field$ to allow substitution.

Retrieved from "http://docs.splunk.com/Documentation/Splunk/3.2.6/Admin/TransactionSearch"

This documentation applies to the following versions of Splunk: 3.2 , 3.2.1 , 3.2.2 , 3.2.3 , 3.2.4 , 3.2.5 , 3.2.6 View the Article History for its revisions.


You must be logged into splunk.com in order to post comments. Log in now.

Was this documentation topic helpful?

If you'd like to hear back from us, please provide your email address:

We'd love to hear what you think about this topic or the documentation as a whole. Feedback you enter here will be delivered to the documentation team.

Feedback submitted, thanks!