Understand transactions in Splunk
This documentation does not apply to the most recent version of Splunk. Click here for the latest version.
Contents
Understand transactions in Splunk
For many application management use cases, including fault detection and monitoring, you frequently want to tie multiple events together into a single transaction. In Splunk, a transaction is any sequence of information exchange and related work that you want to treat as a unit.
The events in your logs often contain overlapping information that you can use to tie events together. For example, web logs often contain a session ID field that appears in more than one event. By tying these events together, you can get information about an entire session and how long it took. For troubleshooting, you can find sessions that did not complete or that exceeded some threshold. You can also use this information to find out how users are interacting with your application or your site and how long it takes them to accomplish a task. Splunk's transaction command can be used to tie together events based on a timeframe and one or more common values. This can be used to measure duration, whether or not a transaction completed, and more. These associations can be built across tiers and using multiple keys.
See About transactions and Search for transactions in the Knowledge Manager manual for more information about transactions and the transaction command.
This walkthrough shows how to use Splunk's transaction command to find web transactions that exceed a specified duration. It also gives some examples of how to construct transactions that cross tiers.
Other uses of transactions
- For infrastructure logs, you can use an IP address to track the network behavior of a host through the router logs to look for network-layer abnormalities.
This documentation applies to the following versions of Splunk: 4.1 , 4.1.1 , 4.1.2 , 4.1.3 , 4.1.4 , 4.1.5 , 4.1.6 , 4.1.7 , 4.1.8 View the Article History for its revisions.