This documentation does not apply to the most recent version of Splunk. Click here for the latest version.
A transaction is a meta-event, a collection of events that you want to group together. Transactions can span multiple sources.
A transaction type is a configured type of transaction that is saved as a field in Splunk.
A common transaction search use is to group multiple events into a single meta-event that represents a single physical event. For example, an out of memory problem could trigger several database events to be logged, and they can all be grouped together into a transaction. Use the transaction command to define a transaction or override transaction options specified in transactiontypes.conf.
Example: Run a search that groups together all of the web pages a single user (or client IP address) looked at, over a time range.
This search takes events from the access logs, and creates a transaction from events that share the same
clientip value that occurred within 5 minutes of each other (within a 3 hour time span).
sourcetype=access_combined | transaction fields=clientip maxpause=5m maxspan=3h
For more information, including use cases and examples, see the "Group events into transactions" chapter of the Knowledge Manager manual.
This documentation applies to the following versions of Splunk: 4.1 , 4.1.1 , 4.1.2 , 4.1.3 , 4.1.4 , 4.1.5 , 4.1.6 , 4.1.7 , 4.1.8 , 4.2 , 4.2.1 , 4.2.2 , 4.2.3 , 4.2.4 , 4.2.5 , 4.3 , 4.3.1 , 4.3.2 , 4.3.3 , 4.3.4 , 4.3.5 , 4.3.6