Splunk® Enterprise

Knowledge Manager Manual

Download manual as PDF

Splunk version 4.x reached its End of Life on October 1, 2013. Please see the migration information.
This documentation does not apply to the most recent version of Splunk. Click here for the latest version.
Download topic as PDF

About transactions

A transaction is any group of related events that spans time. A transaction type is a configured transaction, saved as a field in Splunk. Any number of data sources can generate transactions over multiple log entries.

For example, a customer shopping in an online store could generate a transaction across multiple sources. Web access events might share a session ID with the event in the application server log; the application server log might contain the account ID, transaction ID, and product ID; the transaction ID may live in the message queue with a message ID, and the fulfillment application may log the message ID along with the shipping status. All of this data represents a single user transaction.

Here are some other examples of transactions:

  • Web access events
  • Application server events
  • Business transactions
  • E-mails
  • Security violations
  • System failures

Transaction search

Transaction search is useful for a single observation of any physical event stretching over multiple logged events. Use the transaction command to define a transaction or override transaction options specified in transactiontypes.conf.

To learn more, read "Search for transactions" in this manual.

Configure transaction types

You may want to persist the transaction search you've created. Or you might want to create a lasting transaction type. You can save transactions by editing transactiontypes.conf. Define transactions by creating a stanza and listing specifications.

To learn more about configuring transaction types, read "Define transactions" in this manual.

When to use stats instead of transactions

Transactions aren't the most efficient method to compute aggregate statistics on transactional data. If you want to compute aggregate statistics over transactions that are defined by data in a single field, use the stats command.

For example, if you wanted to compute the statistics of the duration of a transaction defined by the field session_id:

* | stats min(_time) AS earliest max(_time) AS latest by session_id | eval duration=latest-earliest | stats min(duration) max(duration) avg(duration) median(duration) perc95(duration)

Similary, if you wanted to compute the number of hits per clientip in an access log:

sourcetype=access_combined | stats count by clientip | sort -count

Also, if you wanted to compute the number of distinct session (parameterized by cookie) per clientip in an access log:

sourcetype=access_combined | stats dc(cookie) as sessions by clientip | sort -sessions

Read the stats command reference for more information about using the search command.

Configure event type templates
Search for transactions

This documentation applies to the following versions of Splunk® Enterprise: 4.3, 4.3.1, 4.3.2, 4.3.3, 4.3.4, 4.3.5, 4.3.6, 4.3.7

Was this documentation topic helpful?

Enter your email address, and someone from the documentation team will respond to you:

Please provide your comments here. Ask a question or make a suggestion.

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters