Documentation > Splunk > Knowledge Manager Manual > About transactions

Knowledge Manager Manual

 


Welcome to knowledge management
Organize and administrate knowledge objects
Data interpretation: Fields and field extractions
Data classification: Event types and transactions
Data enrichment: Lookups and workflow actions
Data normalization: Tags and aliases
Manage your search knowledge
Set up and use summary indexes

About transactions

This documentation does not apply to the most recent version of Splunk. Click here for the latest version.

Contents

About transactions

A transaction is any group of related events that spans time. A transaction type is a configured transaction, saved as a field in Splunk. Any number of data sources can generate transactions over multiple log entries.

For example, a customer shopping in an online store could generate a transaction across multiple sources. Web access events might share a session ID with the event in the application server log; the application server log might contain the account ID, transaction ID, and product ID; the transaction ID may live in the message queue with a message ID, and the fulfillment application may log the message ID along with the shipping status. All of this data represents a single user transaction.

Here are some other examples of transactions:

  • Web access events
  • Application server events
  • Business transactions
  • E-mails
  • Security violations
  • System failures

Transaction search

Transaction search is useful for a single observation of any physical event stretching over multiple logged events. Use the transaction command to define a transaction or override transaction options specified in transactiontypes.conf.

To learn more, read "Search for transactions" in this manual.

Configure transaction types

You may want to persist the transaction search you've created. Or you might want to create a lasting transaction type. You can save transactions by editing transactiontypes.conf. Define transactions by creating a stanza and listing specifications.

To learn more about configuring transaction types, read "Define transactions" in this manual.

When to use stats instead of transactions

Transactions aren't the most efficient method to compute aggregate statistics on transactional data. If you want to compute aggregate statistics over transactions that are defined by data in a single field, use the stats command.

For example, if you wanted to compute the statistics of the duration of a transaction defined by the field session_id:

* | stats min(_time) AS earliest max(_time) AS latest by session_id | eval duration=latest-earliest | stats min(duration) max(duration) avg(duration) median(duration) perc95(duration)

Similary, if you wanted to compute the number of hits per clientip in an access log:

sourcetype=access_combined | stats count by clientip | sort -count

Also, if you wanted to compute the number of distinct session (parameterized by cookie) per clientip in an access log:

sourcetype=access_combined | stats dc(cookie) as sessions by clientip | sort -sessions

Read the stats command reference for more information about using the search command.

Retrieved from "http://docs.splunk.com/Documentation/Splunk/4.3.2/Knowledge/Abouttransactions"

This documentation applies to the following versions of Splunk: 4.1 , 4.1.1 , 4.1.2 , 4.1.3 , 4.1.4 , 4.1.5 , 4.1.6 , 4.1.7 , 4.1.8 , 4.2 , 4.2.1 , 4.2.2 , 4.2.3 , 4.2.4 , 4.2.5 , 4.3 , 4.3.1 , 4.3.2 , 4.3.3 , 4.3.4 , 4.3.5 , 4.3.6 View the Article History for its revisions.


You must be logged into splunk.com in order to post comments. Log in now.

Was this documentation topic helpful?

If you'd like to hear back from us, please provide your email address:

We'd love to hear what you think about this topic or the documentation as a whole. Feedback you enter here will be delivered to the documentation team.

Feedback submitted, thanks!