Identify transactions
This documentation applies to the following versions of Splunk: 4.0 , 4.0.1 , 4.0.2 , 4.0.3 , 4.0.4 , 4.0.5 , 4.0.6
Identify transactions
A transaction is a meta-event, a collection of events that you want to group together. Transactions can span multiple sources.
A transaction type is a configured type of transaction that is saved as a field in Splunk.
A common transaction search use is to group multiple events into a single meta-event that represents a single physical event. For example, an out of memory problem could trigger several database events to be logged, and they can all be grouped together into a transaction. Use the transaction command to define a transaction or override transaction options specified in transactiontypes.conf.
Example: Run a search that groups together all of the web pages a single user (or client IP address) looked at, over a time range.
This search takes events from the access logs, and creates a transaction from events that share the same clientip value that occurred within 5 minutes of each other (within a 3 hour time span).
sourcetype=access_combined | transaction fields=clientip maxpause=5m maxspan=3h
For more information, including use cases and examples, see the "Group events into transactions" chapter of the Knowledge Manager manual.