Configure transaction types
Any series of events can be turned into a transaction type. Read more about use cases in "About transactions", in this manual.
You can create transaction types via transactiontypes.conf. See below for configuration details.
For more information on configuration files in general, see "About configuration files" in the Admin manual.
Configure transaction types in transactiontypes.conf
- Create a
transactiontypes.conf
file in$SPLUNK_HOME/etc/system/local/
, or your own custom app directory in$SPLUNK_HOME/etc/apps/
. - Define transactions by creating a stanza and listing specifications for each transaction within its stanza. Use the following attributes:
- Create any number of transaction types, each represented by a stanza name and any number of the following attribute/value pairs.
- Use the stanza name,
[<TRANSACTIONTYPE>]
, to search for the transaction in Splunk Web. - If you do not specify an entry for each of the following attributes, Splunk Enterprise uses the default value.
- Set the maximum time span for the transaction.
- Can be in seconds, minutes, hours or days, or set to -1 for unlimited.
- For example: 5s, 6m, 12h or 30d.
- Defaults to -1.
- Set the maximum pause between the events in a transaction.
- Can be in seconds, minutes, hours or days, or set to -1 for unlimited.
- For example: 5s, 6m, 12h or 30d.
- Defaults to -1.
- The maximum number of events in a transaction. This constraint is disabled if the value is a negative integer.
- Defaults to 1000.
- If set, each event must have the same field(s) to be considered part of the same transaction.
- For example:
fields = host,cookie
- For example:
- Defaults to " ".
- Relevant only if
fields
is not empty. Controls whether an event that is not inconsistent and not consistent with the fields of a transaction opens a new transaction (connected=true) or is added to the transaction. - An event can be not inconsistent and not consistent if it contains fields required by the transaction but none of these fields has been instantiated in the transaction (by a previous event addition).
- Defaults to:
connected = true
- A search or eval filtering expression which, if satisfied by an event, marks the beginning of a new transaction
- For example:
startswith="login"
startswith=(username=foobar)
startswith=eval(speed_field < max_speed_field)
startswith=eval(speed_field < max_speed_field/12)
- Defaults to: " ".
- A search or eval filtering expression which if satisfied by an event marks the end of a transaction
- For example:
endswith="logout"
endswith=(username=foobar)
endswith=eval(speed_field > max_speed_field)
endswith=eval(speed_field > max_speed_field/12)
- Defaults to: " "
<search-expression>
is a valid search expression that does not contain quotes.<quoted-search-expression>
is a valid search expression that contains quotes.<eval-expression>
is a valid eval expression that evaluates to a boolean. For example,startswith=eval(foo<bar*2)
will match events wherefoo
is less than 2 xbar
."<search-expression>"
:startswith="foo bar"
<quoted-search-expression>
:startswith=(name="foo bar")
<quoted-search-expression>
:startswith=("search literal")
eval(<eval-expression>)
:eval(distance/time < max_speed)
- Use the transaction command in Splunk Web to call your defined transaction (by its transaction type name). You can override configuration specifics during search.
[<transactiontype>] maxspan = [<integer> s|m|h|d|-1] maxpause = [<integer> s|m|h|d|-1] fields = <comma-separated list of fields> startswith = <transam-filter-string> endswith=<transam-filter-string>
[<TRANSACTIONTYPE>]
maxspan = [<integer> s|m|h|d|-1]
maxpause = [<integer> s|m|h|d|-1]
maxevents = <integer>
fields = <comma-separated list of fields>
connected= [true|false]
startswith = <transam-filter-string>
endswith=<transam-filter-string>
For both startswith
and endswith
, <transam-filter-string>
has the following syntax:
"<search-expression>" | (<quoted-search-expression> | eval(<eval-expression>)
Where:
Examples:
For more information about searching for transactions, see "Search for transactions" in this manual.
Additional transaction configuration attributes
transactions.conf
includes a few more sets of attributes that are designed to handle situations such as multivalue fields and memory constraint issues.
Transaction options for memory constraint issues
maxopentxn=<int>
- Specifies the maximum number of not yet closed transactions to keep in the open pool before starting to evict transactions, using LRU (least-recently-used memory cache algorithm) policy.
- The default value of this attribute is read from the transactions stanza in
limits.conf
.
maxopenevents=<int>
- Specifies the maximum number of events (which are) part of open transactions before transaction eviction starts happening, using LRU (least-recently-used memory cache algorithm) policy.
- The default value of this attribute is read from the transactions stanza in
limits.conf
.
keepevicted=[true|false]
- Whether to output evicted transactions. Evicted transactions can be distinguished from non-evicted transactions by checking the value of the
evicted
field, which is set to1
for evicted transactions. - Defaults to
keepevicted=false
.
Transaction options for rendering multivalue fields
mvlist=[true|false]|<field-list>
- The
mvlist
attribute controls whether the multivalue fields of the transaction are (1) a list of the original events ordered in arrival order or (2) a set of unique field values ordered lexigraphically. If a comma- or space-delimited list of fields is provided, only those fields are rendered as lists. - Defaults to:
mvlist=false
.
delim=<string>
- A string used to delimit the original event values in the transaction event fields.
- Defaults to:
delim=" "
nullstr=<string>
- The string value to use when rendering missing field values as part of multivalue fields in a transaction.
- This option applies only to fields that are rendered as lists.
- Defaults to:
nullstr=NULL
Search for transactions | About lookups |
This documentation applies to the following versions of Splunk Cloud Platform™: 8.2.2112, 8.2.2201, 8.2.2202, 8.2.2203, 9.0.2205, 9.0.2208, 9.0.2209, 9.0.2303, 9.0.2305, 9.1.2308, 9.1.2312, 9.2.2403 (latest FedRAMP release), 9.2.2406
Feedback submitted, thanks!