Transactions can include:
- Different events from the same source and the same host.
- Different events from different sources from the same host.
- Similar events from different hosts and different sources.
For example, a customer purchase in an online store could generate a transaction that ties together events from several sources:
- A set of web access events share a session ID with....
- ....a corresponding event in the application server log, which also contains related account, product, and transaction IDs. The transaction ID in that application server event also appears in...
- ...a message queue event, which contains a message ID. This message ID is in turn shared by...
- ...a purchase fulfillment event logged by the fulfillment application, which also includes the shipping status of the item that the customer purchased.
All of the highlighted here, when grouped together, represent a single user transaction. If you were to define it as a transaction type you might call it an "item purchase" transaction. Other kinds of transactions include web access, application server downloads, emails, security violations, and system failures.
A transaction search enables you to identify transaction events that each stretch over multiple logged events. Use the
transaction command and its options to define a search that returns transactions (groups of events). See the documentation of the command in the Search Reference for a variety of examples that show you how you can:
- Find groups of events where the first and last events are separated by a span of time that does not exceed a certain amount (set with the
- Find groups of events where the span of time between included events does not exceed a specific value (set with the
- Find groups of related events where the total number of events does not exceed a specific number (set with the
- Design a transaction that finds event groups where the final event contains a specific text string (set with the
transaction command topic to get the full list of available options for the command.
You can also use the
transaction command to override transaction options that you have configured in
To learn more about searching with
transaction, read "Identify and group events into transactions" in the Search Manual.
Configure transaction types
After you create a transaction search that you find worthy of repeated reuse, you can make it persistable by adding it to
transactiontypes.conf as a transaction type.
To learn more about configuring transaction types, read "Configure transaction types," in this manual.
When to use stats instead of transactions
Transactions aren't the most efficient method to compute aggregate statistics on transactional data. If you want to compute aggregate statistics over transactions that are defined by data in a single field, use the
For example, if you wanted to compute the statistics of the duration of a transaction defined by the field
* | stats min(_time) AS earliest max(_time) AS latest by session_id | eval duration=latest-earliest | stats min(duration) max(duration) avg(duration) median(duration) perc95(duration)
Similary, if you wanted to compute the number of hits per
clientip in an access log:
sourcetype=access_combined | stats count by clientip | sort -count
Also, if you wanted to compute the number of distinct session (parameterized by
clientip in an access log:
sourcetype=access_combined | stats dc(cookie) as sessions by clientip | sort -sessions
Read the stats command reference for more information about using the search command.
Configure event type templates
Search for transactions
This documentation applies to the following versions of Splunk® Enterprise: 5.0, 5.0.1, 5.0.2, 5.0.3, 5.0.4, 5.0.5, 5.0.6, 5.0.7, 5.0.8, 5.0.9, 5.0.10, 5.0.11, 5.0.12, 5.0.13, 5.0.14, 5.0.15, 5.0.16, 5.0.17, 5.0.18, 6.0, 6.0.1, 6.0.2, 6.0.3, 6.0.4, 6.0.5, 6.0.6, 6.0.7, 6.0.8, 6.0.9, 6.0.10, 6.0.11, 6.0.12, 6.0.13, 6.0.14, 6.1, 6.1.1, 6.1.2, 6.1.3, 6.1.4, 6.1.5, 6.1.6, 6.1.7, 6.1.8, 6.1.9, 6.1.10, 6.1.11, 6.1.12, 6.1.13, 6.2.0, 6.2.1, 6.2.2, 6.2.3, 6.2.4, 6.2.5, 6.2.6, 6.2.7, 6.2.8, 6.2.9, 6.2.10, 6.2.11, 6.2.12, 6.2.13, 6.3.0, 6.3.1, 6.3.2, 6.3.3, 6.3.4, 6.3.5, 6.3.6, 6.3.7, 6.3.8, 6.3.9, 6.3.10, 6.3.11, 6.4.0, 6.4.1, 6.4.2, 6.4.3, 6.4.4, 6.4.5, 6.4.6, 6.4.7, 6.4.8, 6.5.0, 6.5.1, 6.5.1612 (Splunk Cloud only), 6.5.2, 6.5.3, 6.5.4, 6.6.0, 6.6.1