Topics

| pdf version

How Splunk Works

Getting Started

Data Inputs

Data Distribution

Indexing

Timestamps

Fields

Hosts

Source Types

Event Types

Search

Distributed Search

Security

Data Management

Deployment Server

Performance Tuning

Configuration Files

Applications

Reference

Troubleshooting


Toolbox

Splunk > The IT Search Company

  • Search and navigate IT data from applications, servers and network devices in real-time.
  • Download Splunk

Localized Splunk documentation

Looking for Splunk documentation in other languages?

Documentation | Discussion | View source | History

Transaction search

This documentation does not apply to the most recent version of Splunk.

This documentation applies to the following versions of Splunk: 3.2 , 3.2.1 , 3.2.2 , 3.2.3 , 3.2.4 , 3.2.5 , 3.2.6

Transaction search

Search for transactions using the transaction search command either in Splunk Web or at the CLI. The transaction command yields groupings of events which may then be used in reports. To use transaction, either call a transaction type (that you configured via transactiontypes.conf), or define transaction constraints in your search by setting the specification options of transaction.


You may add transaction to any search. For best search performance, craft your search and then pipe it to the transaction command. Here are some examples:


  • This search picks the first src_ip lexicographically.
* [search | stats dc(source) as source_count by src_ip | search source_count > 1 | fields src_ip | head 1] | transaction fields=src_ipSearch
  • This search picks the most recent src_ip temporally.
* [search | stats dc(source) as source_count max(_time) as _time by src_ip | search source_count > 1 | sort -_time | fields src_ip | head 1] | transaction fields=src_ipSearch
  • This search picks the src_ip with the most sources.
* [search | stats dc(source) as source_count by src_ip | search source_count > 1 | sort -source_count | fields src_ip | head 1] | transaction fields=src_ipSearch
  • This search picks the src_ip with the most events.
* [search | stats dc(source) as source_count count by src_ip | search source_count > 1 | sort -count | fields + src_ip | head 1] | transaction fields=src_ipSearch

Transactions returned at search time consist of the raw text of each event, the shared event types, and the field values. Transactions also have additional data that is stored in the fields: duration and transactiontype. duration contains the duration of the transaction (the difference between the timestamps of the first and last events of the transaction). transactiontype is the name of the transaction (defined in transactiontypes.conf by the transaction's stanza name).


Transactions and macro search

Transactions and macro search are a powerful combination that allow substitution into your transaction searches. Make a transaction search and then save it with $field$ to allow substitution.

Retrieved from "http://www.splunk.com/base/Documentation/3.2/Admin/TransactionSearch"
Revision: 207 | Contact | Privacy Policy | Terms of Use | Community content licensed under Creative Commons

Copyright © 2005-2009 Splunk Inc. All rights reserved.