Splunk.com | SplunkBase | Support

Documentation: 3.2.3

| Print Version Contents

How Splunk Works
- Overview of Splunk
Getting Started
- Start Splunk
- Administration basics
- Change defaults
- Find and index data
- Add more users
  - Splunk local users
- Start searching
Data Inputs
- How input configuration works
- Configure inputs via Splunk Web
  - Configuration
- Configure inputs via the CLI
  - Data input commands
  - Data input types
- Configure inputs via inputs.conf
- Configure inputs for Windows
- Scripted inputs
  - Configuration
  - Example
- Configure whitelist and blacklist rules
- Log file rotation
  - How log rotation works
- Strip syslog headers before processing
  - Configuration
  - Example
- Determine what files Splunk is tailing
  - Run listtails
- Index SNMP events with Splunk
- log4j
Data Distribution
- How data distribution works
- Enable forwarding and receiving
- Configure outputs.conf
  - Configuration
  - Example
- Set up routing
  - Configuration
  - Examples
- Filtering and routing
  - Configuration
  - Example
- Route specific events to an alternate index
  - Configuration
  - Example
- Set up SSL
  - Forwarder
  - Receiver
- Enable cloning
- Set up data balancing
  - Configuration
  - Example
- Route data to third-party systems
  - Configuration
  - Example
Indexing
- How indexing works
  - How events work
  - How segmentation works
- Configure event boundaries
  - Configuration
  - Examples
- Configure segmentation
- Enable custom segmentation
  - Configuration
  - Example
- Mask sensitive data in an event
  - Configuration
- Character set
  - Character set specification
- Dynamic metadata assignment
  - Configuration
  - Set values with a script
Timestamps
- How timestamp extraction works
  - Precedence rules for timestamp assignment
  - Configure timestamps
- Configure timestamp extraction
- Configure timezone offsets
- Configure European date formats
  - Configure European date format in literals.conf
  - Use the timeformat modifier
- Configure positional timestamp extraction
  - Configure positional timestamp extraction in props.conf
- Tune timestamp extraction for better indexing performance
  - Adjust timestamp lookahead
  - Turn off the timestamp processor
- Train Splunk to recognize a timestamp
Fields
- How fields work
- Create indexed fields via configuration files
  - Configuration
  - Example
- Create extracted fields via configuration files
- Create extracted fields via Splunk Web
  - Configuration
- Field actions
  - Configuration
- Configure fields.conf
  - Configuration
- Configure multi-value fields
  - Configure multi-value fields in fields.conf
  - Example
Hosts
- How host works
- Set default host for a Splunk server
  - via Splunk Web
  - via configuration files
- Define host assignment for an input
  - Statically
  - Dynamically
- Tag hosts
  - via Splunk Web
  - Host tags vs host names
- Extract host per event
  - Configuration
  - Example
Source Types
- How source types work
- Set source type for an input
- Set source type for a source
  - via configuration files
- Train Splunk on a source type
  - via the CLI
- Create an alias for a source type
  - via Splunk Web
- Rule-based association of sourcetypes
  - Configuration
  - Examples
- Source type settings in props.conf
Event Types
- How event types work
- Save event types via Splunk Web
  - Configuration
- Configure eventtypes.conf
- Tag event types
  - Configuration
- Event type discovery
  - Configure event types
- Event type templates
  - Configuration
  - Example
- Dynamic event rendering
Transaction Types
- How transaction types work
  - Define transactions
  - Sample use cases
- Transaction types via configuration files
  - Configuration
  - Example
- Transaction search
  - Transactions and macro search
Search
- How search works
- Set up saved searches
  - via Splunk Web
- Set up saved searches via savedsearches.conf
  - Configuration
  - Example
- Set up alerts via Splunk Web
  - Set up an alert
  - Specify which fields to show
- Set up alerts via savedsearches.conf
- Customize alert options
  - Email options
  - Additional alert customizations
- Form searches
- Macro searches
  - Configure a macro search
- Live Tail
- Send syslog events
  - Configuration
  - Example
- Send SNMP traps
  - Configuration
Distributed Search
- How distributed search works
  - Known issues with distributed search
- Enable distributed search via Splunk Web
- Enable distributed search via the CLI
  - Configuration
- Configure distributed search via distsearch.conf
  - Configuration
  - Example
- Exclude specific Splunk servers from distributed searches
Security
- Security options
  - Authentication
  - Audit
- Enable HTTPS
  - Configuration
  - Certs
- SSL
  - Configuration
- Configure roles
  - Configuration
  - Example
- Set up LDAP
- Scripted authentication
- File system change monitor
  - How the file system change monitor works
  - Configure the file system change monitor
- Audit events
- Audit event signing
  - How audit event signing works
  - Configure audit event signing
- Event hashing
- IT data signing
- Archive signing
Data Management
- How index management works
  - Data management
  - Configuration files for index management
- Add or remove an index
  - Create an index
  - Delete an index
- Remove (delete) data
- Move an index
  - Configuration
- Set retirement policy
  - Remove files beyond a certain size
  - Remove files beyond a certain age
- Automate archiving
  - Use Splunk's index aging policy to archive
- Restore archived data
  - Restore with resurrect
  - Restore a copied index archive
- Export event data
  - via the CLI
  - via Splunk Web
- Disk usage
  - Set minimum free disk space
  - Set database size
- Use separate partitions for Splunk's datastore
  - Set up separate partitions
- Use WORM (Write Once Read Many) volumes for Splunk's datastore
  - Set up a WORM datastore
Deployment Server
- How the deployment server works
  - Communication between deployment server and client
  - Configuration files for deployment server
- Configure a Splunk Deployment Server
  - Configuration
  - Example
- Configure server classes
  - Configuration
  - Example
- Configure deployment clients
- Sync the server and client
  - Configuration changes
Performance Tuning
- Performance tuning Splunk
- Indexing performance
- Search performance
- Cache report results
- Storage efficiency
- CPU and memory footprint
  - Improve CPU usage
  - Improve memory usage
- Multi-CPU servers
  - indexes.conf
- 64-bit operating systems
  - indexes.conf
- Splunk backup options
  - Back up configurations
  - Back up your entire installation
Configuration Files
- How do configuration files work?
  - Configuration file directory structure
  - Configuration file precedence
- Configure bundle directories
  - Make a bundle directory
  - Bundle best practice
- Configuration file list
Applications
- How applications work
- Install Splunk applications
Reference
- Splunk logfiles
  - Internal logs
  - debug
  - log.cfg
- Pre-trained source types
  - Automatically recognized source types
  - Pre-trained source types
- alert_actions.conf
  - alert_actions.conf.spec
  - alert_actions.conf.example
- audit.conf
  - audit.conf.spec
  - audit.conf.example
- authentication.conf
  - authentication.conf.spec
  - authentication.conf.example
- authorize.conf
  - authorize.conf.spec
  - authorize.conf.example
- decorations.conf
  - decorations.conf.spec
  - decorations.conf.example
- deployment.conf
  - deployment.conf.spec
  - deployment.conf.example
- distsearch.conf
  - distsearch.conf.spec
  - distsearch.conf.example
- eventdiscoverer.conf
  - eventdiscoverer.conf.spec
  - eventdiscoverer.conf.example
- eventtypes.conf
  - eventtypes.conf.spec
  - eventtypes.conf.example
- fields.conf
  - fields.conf.spec
  - fields.conf.example
- field_actions.conf
  - field_actions.conf.spec
  - field_actions.conf.example
- indexes.conf
  - indexes.conf.spec
  - indexes.conf.example
- inputs.conf
  - inputs.conf.spec
  - inputs.conf.example
- literals.conf
  - literals.conf.spec
  - literals.conf.spec
- multikv.conf
  - multikv.conf.spec
  - Example
- outputs.conf
  - outputs.conf.spec
  - outputs.conf.example
- prefs.conf
  - prefs.conf.spec
  - prefs.conf.example
  - prefs.conf.example
- props.conf
  - props.conf.spec
- props.conf (cont)
  - props.conf.spec, continued
  - props.conf.example
- restmap.conf
  - restmap.conf.spec
  - restmap.conf.spec
- savedsearches.conf
  - savedsearches.conf.spec
  - savedsearches.conf.example
- segmenters.conf
  - segmenters.conf.spec
  - segmenters.conf.example
- server.conf
  - server.conf.spec
  - server.conf.example
- source-classifier.conf
  - Configuration
  - Example
- sourcetypes.conf
  - Configuration
  - Example
- streams.conf
  - streams.conf.example
- transactiontypes.conf
  - transactiontypes.conf.spec
  - transactiontypes.conf.example
- transforms.conf
  - transforms.conf.spec
  - transforms.conf.example
- user-seed.conf
  - user-seed.conf.spec
  - user-seed.conf.example
- web.conf
  - web.conf.spec
  - web.conf.example
Troubleshooting
- Contact Support
- Splunkd is down
  - Splunkd may need a few more seconds to come up
  - Your license file contains line-breaks or other hidden characters
- License issues
- Anonymize data samples
  - Simple method
  - Advanced method
- Unable to get a properly formatted response from the server
- Command line tools
  - btool
  - classify
  - exporttool
  - gzdumper
  - listtails
  - locktest
  - locktool
  - parsetest
  - pcregextest
  - regextest
  - searchtest
  - signtool
  - tsidxprobe

This page last updated: 04/14/08 01:04pm

Transaction search

Search for transactions using the transaction search command either in Splunk Web or at the CLI. The transaction command yields groupings of events which may then be used in reports. To use transaction, either call a transaction type (that you configured via transactiontypes.conf), or define transaction constraints in your search by setting the specification options of transaction.

You may add transaction to any search. For best search performance, craft your search and then pipe it to the transaction command. Here are some examples:

This search picks the first src_ip lexicographically.

* [search | stats dc(source) as source_count by src_ip | search source_count > 1 | fields src_ip | head 1] | transaction fields=src_ip

This search picks the most recent src_ip temporally.

* [search | stats dc(source) as source_count max(_time) as _time by src_ip | search source_count > 1 | sort -_time | fields src_ip | head 1] | transaction fields=src_ip

This search picks the src_ip with the most sources.

* [search | stats dc(source) as source_count by src_ip | search source_count > 1 | sort -source_count | fields src_ip | head 1] | transaction fields=src_ip

This search picks the src_ip with the most events.

* [search | stats dc(source) as source_count count by src_ip | search source_count > 1 | sort -count | fields + src_ip | head 1] | transaction fields=src_ip

Transactions returned at search time consist of the raw text of each event, the shared event types, and the field values. Transactions also have additional data that is stored in the fields: duration and transactiontype. duration contains the duration of the transaction (the difference between the timestamps of the first and last events of the transaction). transactiontype is the name of the transaction (defined in transactiontypes.conf by the transaction's stanza name).

Transactions and macro search

Transactions and macro search are a powerful combination that allow substitution into your transaction searches. Make a transaction search and then save it with $field$ to allow substitution.

Previous: Transaction types via configuration files | Next: How search works

Comments

No comments have been submitted.

Log in to comment.