About transactions
A transaction is a group of conceptually-related events that spans time. A transaction type is a transaction that has been configured in transactiontypes.conf
and saved as a field.
Transactions can include:
- Different events from the same source and the same host.
- Different events from different sources from the same host.
- Similar events from different hosts and different sources.
For example, a customer purchase in an online store could generate a transaction that ties together events from several sources:
- A set of web access events share a session ID with....
- ....a corresponding event in the application server log, which also contains related account, product, and transaction IDs. The transaction ID in that application server event also appears in...
- ...a message queue event, which contains a message ID. This message ID is in turn shared by...
- ...a purchase fulfillment event logged by the fulfillment application, which also includes the shipping status of the item that the customer purchased.
All of the events highlighted here, when grouped together, represent a single user transaction. If you were to define it as a transaction type you might call it an "item purchase" transaction. Other kinds of transactions include web access, application server downloads, emails, security violations, and system failures.
Transaction search
A transaction search enables you to identify transaction events that each stretch over multiple logged events. Use the transaction
command and its options to define a search that returns transactions (groups of events). See the documentation of the command in the Search Reference for a variety of examples that show you how you can:
- Find groups of events where the first and last events are separated by a span of time that does not exceed a certain amount (set with the
maxspan
option) - Find groups of events where the span of time between included events does not exceed a specific value (set with the
maxpause
option). - Find groups of related events where the total number of events does not exceed a specific number (set with the
maxevents
option) - Design a transaction that finds event groups where the final event contains a specific text string (set with the
endswith
option).
Study the transaction
command topic to get the full list of available options for the command.
You can also use the transaction
command to override transaction options that you have configured in transactiontypes.conf
.
To learn more about searching with transaction
, read "Identify and group events into transactions" in the Search Manual.
Configure transaction types
After you create a transaction search that you find worthy of repeated reuse, you can make it persistable by adding it to transactiontypes.conf
as a transaction type.
To learn more about configuring transaction types, read "Configure transaction types," in this manual.
When to use stats instead of transactions
Transactions aren't the most efficient method to compute aggregate statistics on transactional data. If you want to compute aggregate statistics over transactions that are defined by data in a single field, use the stats
command.
For example, if you wanted to compute the statistics of the duration of a transaction defined by the field session_id
:
* | stats min(_time) AS earliest max(_time) AS latest by session_id | eval duration=latest-earliest | stats min(duration) max(duration) avg(duration) median(duration) perc95(duration)
Similarly, if you wanted to compute the number of hits per clientip
in an access log:
sourcetype=access_combined | stats count by clientip | sort -count
Also, if you wanted to compute the number of distinct session (parameterized by cookie
) per clientip
in an access log:
sourcetype=access_combined | stats dc(cookie) as sessions by clientip | sort -sessions
Read the stats command reference for more information about using the search command.
Configure event type templates | Search for transactions |
This documentation applies to the following versions of Splunk Cloud Platform™: 8.2.2112, 8.2.2201, 8.2.2202, 8.2.2203, 9.0.2205, 9.0.2208, 9.0.2209, 9.0.2303, 9.0.2305, 9.1.2308, 9.1.2312, 9.2.2403, 9.2.2406 (latest FedRAMP release), 9.3.2408
Feedback submitted, thanks!