Search for transactions
Search for transactions
Search for transactions using the transaction search command either in Splunk Web or at the CLI. The transaction command yields groupings of events which can be used in reports. To use transaction, either call a transaction type (that you configured via transactiontypes.conf), or define transaction constraints in your search by setting the search options of the transaction command.
Search options
Transactions returned at search time consist of the raw text of each event, the shared event types, and the field values. Transactions also have additional data that is stored in the fields: duration and transactiontype.
-
durationcontains the duration of the transaction (the difference between the timestamps of the first and last events of the transaction). -
transactiontypeis the name of the transaction (as defined intransactiontypes.confby the transaction's stanza name).
You can add transaction to any search. For best search performance, craft your search and then pipe it to the transaction command. For more information see the topic on the transaction command in the Search Reference manual.
Follow the transaction command with the following options. Note: Some transaction options do not work in conjunction with others.
[field-list]
- This is a comma-separated list of fields, such as
...|transaction host,cookie - If set, each event must have the same field(s) to be considered part of the same transaction.
- Events with common field names and different values will not be grouped.
- For example, if you add
...|transaction host, then a search result that hashost=mylaptopcan never be in the same transaction as a search result withhost=myserver. - A search result that has no
hostvalue can be in a transaction with a result that hashost=mylaptop.
- For example, if you add
match=closest
- Specify the matching type to use with a transaction definition.
- The only value supported currently is closest.
maxspan=[<integer> s|m|h|d]
- Set the maximum pause between the events in a transaction.
- Can be in seconds, minutes, hours or days.
- For example: 5s, 6m, 12h or 30d.
- Defaults to
maxspan=-1, for an "all time" timerange.
maxpause=[<integer> s|m|h|d]
- Specifies the maximum pause between transactions.
- Requires there be no pause between the events within the transaction greater than maxpause.
- If the value is negative, the maxspause constraint is disabled.
- Defaults to
maxpause=-1.
startswith=<string>
- A search or eval-filtering expression which, if satisfied by an event, marks the beginning of a new transaction.
- For example:
-
startswith="login" -
startswith=(username=foobar) -
startswith=eval(speed_field < max_speed_field) -
startswith=eval(speed_field < max_speed_field/12)
-
- Defaults to
"".
endswith=<transam-filter-string>
- A search or eval-filtering expression which, if satisfied by an event, marks the end of a transaction.
- For example:
-
endswith="logout" -
endswith=(username=foobar) -
endswith=eval(speed_field < max_speed_field) -
endswith=eval(speed_field < max_speed_field/12)
-
- Defaults to
"".
For startswith and endswith, <transam-filter-string> is defined with the following syntax:
"<search-expression>" | (<quoted-search-expression>) | eval(<eval-expression>
-
<search-expression>is a valid search expression that does not contain quotes. -
<quoted-search-expression>is a valid search expression that contains quotes. -
<eval-expression>is a valid eval expression that evaluates to a boolean.
Examples:
- search expression:
(name="foo bar") - search expression:
"user=mildred" - search expression:
("search literal") - eval bool expression:
eval(distance/time < max_speed)
Transactions and macro search
Transactions and macro searches are a powerful combination that allow substitution into your transaction searches. Make a transaction search and then save it with $field$ to allow substitution.
For an example of how to use macro searches and transactions, see "Create and use search macros" in the User manual. For more information about macro searches, see "Design macro searches" in this manual.
Example transaction search
Run a search that groups together all of the web pages a single user (or client IP address) looked at over a time range.
This search takes events from the access logs, and creates a transaction from events that share the same clientip value that occurred within 5 minutes of each other (within a 3 hour time span).
sourcetype=access_combined | transaction clientip maxpause=5m maxspan=3hThis documentation applies to the following versions of Splunk: 4.1 , 4.1.1 , 4.1.2 , 4.1.3 , 4.1.4 , 4.1.5 , 4.1.6 , 4.1.7 , 4.1.8 , 4.2 , 4.2.1 , 4.2.2 , 4.2.3 , 4.2.4 , 4.2.5 , 4.3 , 4.3.1 , 4.3.2 View the Article History for its revisions.