Documentation > Splunk > Application Management > Build a transaction using multiple fields

Application Management

 


Application Management with Splunk
Index Data
Application Management Use Cases
Walkthrough: Index Data
Walkthrough: Troubleshoot using ID and Time
Walkthrough: Group Events into Transactions
Walkthrough: Monitor Transaction Performance
Walkthrough: Create a Business Dashboard

Build a transaction using multiple fields

This documentation does not apply to the most recent version of Splunk. Click here for the latest version.

Contents

Build a transaction using multiple fields

The two previous topics both show transactions across two tiers. Use a transaction across tiers uses the accountNumber field to create a transaction that combines weblogs with J2EE logs, and Add fields shows how to extract and use the subscriberID field to tie together J2EE logs with API logs. Notice that the J2EE logs appear in both of these transactions, because it has a subscriberID field and a accountNumber field. It would be nice to be able to combine these different transactions together into a single transaction, and the transaction command lets you do exactly that. All you have to do is pass two (or more) fields instead of just one.

Create and run the transaction

1. Search on all the logs you need to include:

index=test sourcetype=weblog OR sourcetype=j2eelog OR sourcetype=apilog

2. Now pipe that search to the transaction command.

index=test sourcetype=weblog OR sourcetype=j2eelog OR sourcetype=apilog | transaction accountNumber subscriberID maxspan=1m maxpause=30s

AppManageTransaction.png

View a summary of events

To look at a summary of your events:

1. Click the event table icon at the top left of the results window.

AppManageEventTableButton.png

2. You see the event table summary.

AppManageEventTableDefault.png

Add multiple fields to your view

You can choose which fields to display using the Field picker at the left of the search window:

1. Click Pick fields at the top of the field menu to the left of the results viewer.

AppManagePickFieldsLink.png

2. To add a field to the your view, just click on the name of that field. Selected fields are displayed on the right.

AppManageFieldPicker.png

3. To remove a field from the event table view, find that field in the right hand column and click on the arrow next to the field name.

AppManageFieldPickerRemove.png

4. Click Save. You see a summary of each transaction. The fields you selected are shown in columns. For each field, you see all the values that that field takes on anywhere in the transaction. This is a useful way to get an overview of your transactions.

AppManageEventTableCustom.png

Here, for example, you see:

Retrieved from "http://docs.splunk.com/Documentation/Splunk/4.1.4/AppManagement/Buildatransactionusingmultiplefields"

This documentation applies to the following versions of Splunk: 4.1 , 4.1.1 , 4.1.2 , 4.1.3 , 4.1.4 , 4.1.5 , 4.1.6 , 4.1.7 , 4.1.8 View the Article History for its revisions.


You must be logged into splunk.com in order to post comments. Log in now.

Was this documentation topic helpful?

If you'd like to hear back from us, please provide your email address:

We'd love to hear what you think about this topic or the documentation as a whole. Feedback you enter here will be delivered to the documentation team.

Feedback submitted, thanks!