Documentation > Splunk > Application Management > Build and use a transaction

Application Management

 


Application Management with Splunk
Index Data
Application Management Use Cases
Walkthrough: Index Data
Walkthrough: Troubleshoot using ID and Time
Walkthrough: Group Events into Transactions
Walkthrough: Monitor Transaction Performance
Walkthrough: Create a Business Dashboard

Build and use a transaction

This documentation does not apply to the most recent version of Splunk. Click here for the latest version.

Contents

Build and use a transaction

The transaction command has plenty of bells and whistles, but you don't need to use all of its complexity to get value. Suppose you know your website is slow or hanging, but do not have specific information about which customers are having the problem. You do know that once users have logged in, every entry in the web logs related to their session includes the user's account number. You can use this common number to tie together related events and find the slow transactions.

To use the transaction command, you usually run a search and pipe the results to transaction. The command requires at least one field and has a number of optional arugments. The command returns transactions -- groups of events that match the specified criteria. Each transaction consists of the raw text of all the associated events, the values of the specified field(s), and the transaction's duration.

This example shows how to use the transaction to find transactions in your web logs that last longer than 2 seconds.

Build a transaction

1. Start by specifying the events you want as the input to the transaction command. Since you are only interested in weblogs at the moment, search for those. Remember that you need to specify the index, because you are using test:

index=test sourcetype=weblog

2. Now you want to tie together events. To do this, you take the output of the search that gets your base events and use the "pipe" operator (|) to direct the search to the transaction command. You specify accountNumber as the field to tie things together. But you have a problem. People log in with their account number more than once. You don't want to connect a login from last week with a login from today. The transaction command has options that let you specify constraints on the timing. The command you want is this:

index=test sourcetype=weblog | transaction accountNumber maxspan=1m maxpause=30

This command groups together events that satisfy all of the following crtiteria:

3. Run the search. One way to do this is to select Last fifteen minutes from the time range picker. Running your search over a short interval at first allows you to see whether the command is giving you want you want.

Here is the sample output of a single transaction emitted by this command: 

  3/24/10 11:28:54.301 AM

2010-03-24 11:28:54,301 [WEB] INFO messageType = POST, messageStatus = INIT, accountNumber = COT6037774908, host = 10.34.50.48, messageDetails = Begin posting message to content store
2010-03-24 11:28:54,322 [WEB] INFO messageType = POST, messageStatus = TASK, accountNumber = COT6037774908, host = 10.34.50.48, messageDetails = Opening connection to host: [ www.contentstore.com:80 ]
2010-03-24 11:28:54,397 [WEB] INFO messageType = POST, messageStatus = TASK, accountNumber = COT6037774908, host = 10.34.50.48, messageDetails = Connection established to host: [ www.contentstore.com:80 ]
2010-03-24 11:28:54,474 [WEB] INFO messageType = POST, messageStatus = TASK, accountNumber = COT6037774908, host = 10.34.50.48, messageDetails = Writing message to host: [ www.contentstore.com:80 ]
2010-03-24 11:28:54,581 [WEB] INFO messageType = POST, messageStatus = TASK, accountNumber = COT6037774908, host = 10.34.50.48, messageDetails = Finished writing message to host: [ www.contentstore.com:80 ]
2010-03-24 11:28:54,654 [WEB] INFO messageType = POST, messageStatus = TASK, accountNumber = COT6037774908, host = 10.34.50.48, messageDetails = Closing connection to host: [ www.contentstore.com:80 ]
2010-03-24 11:28:54,676 [WEB] INFO messageType = POST, messageStatus = TASK, accountNumber = COT6037774908, host = 10.34.50.48, messageDetails = Connection closed to host: [ www.contentstore.com:80 ]
2010-03-24 11:28:54,760 [WEB] INFO messageType = POST, messageStatus = COMP, accountNumber = COT6037774908, host = 10.34.50.48, messageDetails = Finished posting message to content store

    * host=10.34.50.48 
    * sourcetype=weblog 
    * source=/var/log/weblogs/webserver23/WEB.log

In this case, you are getting results that have a transactional meaning, with the transaction command stitching together all the events in a single session, from the time the user logs in to the time the transaction is complete.

Show the duration field

Splunk computes the difference between the timestamps for the first and last events in the transaction and stores that in a duration field. You want to display this field in your results. To do this:

1. Click on the duration field in the Field menu to the left of the Search window.

AppManageDurationSelect.png

2. Take a minute to look at the pop-out window. It contains a lot of interesting information about the duration field. For instance, you can see that the most common duration time is 2.494 seconds. That's a little fine-grained here, but for other types of logs, this can give you information right away. For example, if you pop out host and that the top host has way more values than the rest of them, you know to take a closer look at that host.

AppManageDurationFieldPopout.png

3. To have duration show with your other results, click Select/show in results.

4. Close the window. You now see duration at the bottom with the default fields.

AppManageDurationOver2.png

Show a summary of events

Splunk lets you switch between viewing your full event text and viewing an event table, which shows a summary of your events. This is particularly useful for transactions. To switch to event table view:

1. Click the event table icon at the top left of the results window.

AppManageEventTableIconCircle.png

2. You see the event table summary.

AppManageWeblogsEventSummary.png

Find slow transactions

You can use the duration field, along with the where command, to find all transactions that exceed a specified time interval, in this case 2 seconds:

1. Modify the previous search by piping it to the where command. where filters your data by performing a field evaluation (in this case, duration>2) and keeping only the events that are true:

index=test sourcetype=weblog | transaction accountNumber maxspan=1m maxpause=30s | where duration>2

AppManageSlowWeblogTransactions.png

As you can see, Splunk's search language extends beyond simple searches to let you perform filtering and statistical calculations. (You can even create fields "on the fly" using the eval command and then use those fields to perform additional calculations.) By using pipes and Splunk's extensive set of search commands, you can build searches that are very complex and powerful. See the Search Reference manual for a complete reference to the search operations available with Splunk. Also see Popular search commands in the Search Reference manual for a quick synopsis of commonly-used search commands.

Retrieved from "http://docs.splunk.com/Documentation/Splunk/4.1.4/AppManagement/Buildatransaction"

This documentation applies to the following versions of Splunk: 4.1 , 4.1.1 , 4.1.2 , 4.1.3 , 4.1.4 , 4.1.5 , 4.1.6 , 4.1.7 , 4.1.8 View the Article History for its revisions.


You must be logged into splunk.com in order to post comments. Log in now.

Was this documentation topic helpful?

If you'd like to hear back from us, please provide your email address:

We'd love to hear what you think about this topic or the documentation as a whole. Feedback you enter here will be delivered to the documentation team.

Feedback submitted, thanks!