This documentation does not apply to the most recent version of Splunk. Click here for the latest version.
A transaction is any group of related events that spans time. A transaction type is a configured transaction, saved as a field in Splunk. Any number of data sources can generate transactions over multiple log entries.
For example, a customer shopping in an online store could generate a transaction across multiple sources. Web access events might share a session ID with the event in the application server log; the application server log might contain the account ID, transaction ID, and product ID; the transaction ID may live in the message queue with a message ID, and the fulfillment application may log the message ID along with the shipping status. All of this data represents a single user transaction.
Here are some other examples of transactions:
- Web access events
- Application server events
- Business transactions
- Security violations
- System failures
Transaction search is useful for a single observation of any physical event stretching over multiple logged events. Use the transaction command to define a transaction or override transaction options specified in
To learn more, read "Search for transactions" in this manual.
Configure transaction types
You may want to persist the transaction search you've created. Or you might want to create a lasting transaction type. You can save transactions by editing
transactiontypes.conf. Define transactions by creating a stanza and listing specifications.
To learn more about configuring transaction types, read "Define transactions" in this manual.
When to use stats instead of transactions
Transactions aren't the most efficient method to compute aggregate statistics on transactional data. If you want to compute aggregate statistics over transactions that are defined by data in a single field, use the
For example, if you wanted to compute the statistics of the duration of a transaction defined by the field
* | stats min(_time) AS earliest max(_time) AS latest by session_id | eval duration=latest-earliest | stats min(duration) max(duration) avg(duration) median(duration) perc95(duration)
Similary, if you wanted to compute the number of hits per
clientip in an access log:
sourcetype=access_combined | stats count by clientip | sort -count
Also, if you wanted to compute the number of distinct session (parameterized by
clientip in an access log:
sourcetype=access_combined | stats dc(cookie) as sessions by clientip | sort -sessions
Read the stats command reference for more information about using the search command.
This documentation applies to the following versions of Splunk: 4.1 , 4.1.1 , 4.1.2 , 4.1.3 , 4.1.4 , 4.1.5 , 4.1.6 , 4.1.7 , 4.1.8 , 4.2 , 4.2.1 , 4.2.2 , 4.2.3 , 4.2.4 , 4.2.5 , 4.3 , 4.3.1 , 4.3.2 , 4.3.3 , 4.3.4 , 4.3.5 , 4.3.6