Splunk® Enterprise

Knowledge Manager Manual

Splunk Enterprise version 8.2 is no longer supported as of September 30, 2023. See the Splunk Software Support Policy for details. For information about upgrading to a supported version, see How to upgrade Splunk Enterprise.

Search for transactions

Search for transactions using the transaction search command either in Splunk Web or at the CLI. The transaction command yields groupings of events which can be used in reports. To use transaction, either call a transaction type that you configured via transactiontypes.conf, or define transaction constraints in your search by setting the search options of the transaction command.

Search options

Transactions returned at search time consist of the raw text of each event, the shared event types, and the field values. Transactions also have additional data that is stored in the fields: duration and transactiontype.

  • duration contains the duration of the transaction (the difference between the timestamps of the first and last events of the transaction).
  • transactiontype is the name of the transaction (as defined in transactiontypes.conf by the transaction's stanza name).

You can add transaction to any search. For best search performance, craft your search and then pipe it to the transaction command. For more information see the topic on the transaction command in the Search Reference manual.

Follow the transaction command with the following options.

Note: Some transaction options do not work in conjunction with others.

[field-list]

  • This is a comma-separated list of fields, such as ...|transaction host,cookie
  • If set, each event must have the same field(s) to be considered part of the same transaction.
  • Events with common field names and different values will not be grouped.
    • For example, if you add ...|transaction host, then a search result that has host=mylaptop can never be in the same transaction as a search result with host=myserver.
    • A search result that has no host value can be in a transaction with a result that has host=mylaptop.

match=closest

  • Specify the matching type to use with a transaction definition.
  • The only value supported currently is closest.

maxspan=[<integer> s|m|h|d]

  • Set the maximum span across events in a transaction.
  • Can be in seconds, minutes, hours or days.
    • For example: 5s, 6m, 12h or 30d.
  • Defaults to maxspan=-1, for an "all time" timerange.

maxpause=[<integer> s|m|h|d]

  • Specifies the maximum pause between transactions.
  • Requires there be no pause between the events within the transaction greater than maxpause.
  • If the value is negative, the maxspause constraint is disabled.
  • Defaults to maxpause=-1.

startswith=<string>

  • A search or eval-filtering expression which, if satisfied by an event, marks the beginning of a new transaction.
  • For example:
    • startswith="login"
    • startswith=(username=foobar)
    • startswith=eval(speed_field < max_speed_field)
    • startswith=eval(speed_field < max_speed_field/12)
  • Defaults to "".

endswith=<transam-filter-string>

  • A search or eval-filtering expression which, if satisfied by an event, marks the end of a transaction.
  • For example:
    • endswith="logout"
    • endswith=(username=foobar)
    • endswith=eval(speed_field < max_speed_field)
    • endswith=eval(speed_field < max_speed_field/12)
  • Defaults to "".

For startswith and endswith, <transam-filter-string> is defined with the following syntax: "<search-expression>" | (<quoted-search-expression>) | eval(<eval-expression>

  • <search-expression> is a valid search expression that does not contain quotes.
  • <quoted-search-expression> is a valid search expression that contains quotes.
  • <eval-expression> is a valid eval expression that evaluates to a boolean.

Examples:

  • search expression: (name="foo bar")
  • search expression: "user=mildred"
  • search expression: ("search literal")
  • eval bool expression: eval(distance/time < max_speed)

Transactions and macro search

Transactions and macro searches are a powerful combination that allows substitution into your transaction searches. Make a transaction search and then save it with $field$ to allow substitution.

You can find an example of search macro and transaction combination in Search macro examples.

Example transaction search

Run a search that groups together all of the web pages a single user (or client IP address) looked at over a time range.

This search takes events from the access logs, and creates a transaction from events that share the same clientip value that occurred within 5 minutes of each other (within a 3 hour time span).

sourcetype=access_combined | transaction clientip maxpause=5m maxspan=3h

Last modified on 17 July, 2024
About transactions   Configure transaction types

This documentation applies to the following versions of Splunk® Enterprise: 7.0.0, 7.0.1, 7.0.2, 7.0.3, 7.0.4, 7.0.5, 7.0.6, 7.0.7, 7.0.8, 7.0.9, 7.0.10, 7.0.11, 7.0.13, 7.1.0, 7.1.1, 7.1.2, 7.1.3, 7.1.4, 7.1.5, 7.1.6, 7.1.7, 7.1.8, 7.1.9, 7.1.10, 7.2.0, 7.2.1, 7.2.2, 7.2.3, 7.2.4, 7.2.5, 7.2.6, 7.2.7, 7.2.8, 7.2.9, 7.2.10, 7.3.0, 7.3.1, 7.3.2, 7.3.3, 7.3.4, 7.3.5, 7.3.6, 7.3.7, 7.3.8, 7.3.9, 8.0.0, 8.0.1, 8.0.2, 8.0.3, 8.0.4, 8.0.5, 8.0.6, 8.0.7, 8.0.8, 8.0.9, 8.0.10, 8.1.1, 8.1.2, 8.1.3, 8.1.4, 8.1.5, 8.1.6, 8.1.7, 8.1.8, 8.1.9, 8.1.13, 8.1.14, 8.2.0, 8.2.1, 8.2.2, 8.2.3, 8.2.4, 8.2.5, 8.2.6, 8.2.7, 8.2.8, 8.2.9, 8.2.10, 8.2.11, 8.2.12, 9.0.0, 9.0.1, 9.0.2, 9.0.3, 9.0.4, 9.0.5, 9.0.6, 9.0.7, 9.0.8, 9.0.9, 9.0.10, 9.1.0, 9.1.1, 9.1.2, 9.1.3, 9.1.4, 9.1.5, 9.1.6, 9.2.0, 9.2.1, 9.2.2, 9.2.3, 9.3.0, 9.3.1, 8.1.0, 8.1.10, 8.1.11, 8.1.12


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters