Transaction types via configuration files
This documentation does not apply to the most recent version of Splunk.
This documentation applies to the following versions of Splunk:
3.2.1 , 3.2.2 , 3.2.3 , 3.2.4 , 3.2.5 , 3.2.6
Transaction types via configuration files
Configure transaction types by creating a custom transactiontypes.conf. Write your copy to $SPLUNK_HOME/etc/bundles/local or your own custom bundle directory.
Configuration
Define transactions by creating a stanza and listing specifications for each transaction within its stanza. Use the transaction command in Splunk Web to call your defined transaction (by its transactiontype name) and override specifications.
[$TRANSACTIONTYPE]
- Create any number of transaction types, each represented by a stanza name and any number of the following attribute/value pairs.
- Use the stanza name,
[$TRANSACTIONTYPE], to search for the transaction in Splunk Web.
- If you do not specify an entry for each attribute, Splunk uses the default value.
maxspan = [s|m|h|d]
- Specifies the maximum time span for the transaction.
- Can be set in seconds, minutes, hours or days.
- For example: 5s, 6m, 12h or 30d.
- Defaults to -1 (unlimited).
- NOTE: IF there is NO
pattern set (below), defaults to 5m.
maxpause = [s|m|h|d]
- Specifies the maximum pause between a complete transaction's events.
- Can be set in seconds, minutes, hours or days.
- For example: eg 5s, 6m, 12h or 30d.
- NOTE: IF there is NO "pattern" set (below), defaults to 2s.
- Otherwise, defaults to -1 (unlimited).
maxrepeats = <int>
- Specifies the maximum number of repeated event types to match against pattern (see below).
- For example, if
maxrepeats is 10, and there are 100 events in a row, all with the same eventtype, only the first and last 10 are matched against pattern.
- A negative value means no limit on repeats, but can possibly cause memory problems.
- Defaults to 10.
fields = <comma-separated list of fields>
- Takes a comma-separated list of fields.
- If set, each event must have the same field to be considered part of the same transaction.
- Defaults to "".
exclusive = <boolean>
- Specifies whether events can be in multiple transactions, or 'exclusive' to a single transaction. Applies to the 'fields' constraint, when events are missing values and can be in multiple transactions, without having conflicting values.
- For example, if fields=
url,cookie, and exclusive=false, then an event with a 'cookie', but not a 'url' value could be in multiple transactions that share the same 'cookie', but have different URLs.
- Setting to 'false' causes the matcher to look for multiple matches for each event and approximately doubles the processing time.
- Defaults to "true".
aliases = <comma-separated list of alias=event_type>
- Defines a short-hand alias for an eventtype to be used in pattern (below).
- For example,
A=login, B=purchase, C=logout means "A" is equal to eventtype "login", "B" to "purchase", "C" to "logout".
- Defaults to "".
pattern = <regular expression-like pattern>
- Defines the pattern of event types for events to make up the transaction.
- Uses aliases to refer to eventtypes.
- For example, "A, B*, C" means this transaction consists of a "login" event, followed by any number of "purchase" events, and followed by a "logout" event.
- Defaults to "".
match = (closest)
- Specifies the match type to use.
- Currently, the only value supported is "closest."
- Defaults to "closest."
Example
[default]
maxspan = 5m
maxpause = 2s
match = closest
[purchase]
aliases = A=login, B=purchase, C=logout
pattern = A, B, C
maxspan = 10m
maxpause = 5m
fields = userid