Hi, I've been trying to use the transam command in the preview version of Splunk. How should this command be used when applying it to extracted fields? Despite the extracted fields existing, sometimes the command will not return any meta-events.
Forums: SplunkAdministration: Transaction processor
Previous Topic: Removing unwanted indexed data | Next Topic: Search fields and distributed system
Posts 1–5 of 5
| Post to this topic
At the bare minimum, the transam field requires the fields=foo argument. Try this search
>index::sampledata | transam fields=clientip
This should give you transactional events which are composed of a series of events that compose what Splunk thinks is a transaction. In this case, you can see the flow of clientIp's though the access logs in our sampledata. You will notice that two fields, duration and transaction_type, are automatically created when you run transam. Duration is the total duration of the transaction, and can handle milliseconds. Transaction_type corresponds to any entries you create in transactiontypes.conf (see the spec and example files)
By specifying maxpause and maxspan, you can define the maximum span of a transaction and maximum between events before it no longer qualifies as the same transaction.
Hi,
Just a few comments:
I'm now understanding the behaviour of the transam but if you "pipe" results into transam as you do in your search request above, only "maxresults" events are fed into transam so by default only the 50000 most recent events. This is quite a big drawback for this feature in my opinion... unless there's a way of working around this.
I think the preview documentation says that maxpause is the between-transaction time. That should be changed to what you stated: it's the maximum inter-event time within a transaction.
This is somewhat unrelated but how do you managed milliseconds in timestamps?
Hi,
Just a few comments:
I'm now understanding the behaviour of the transam but if you "pipe" results into transam as you do in your search request above, only "maxresults" events are fed into transam so by default only the 50000 most recent events. This is quite a big drawback for this feature in my opinion... unless there's a way of working around this.
I think the preview documentation says that maxpause is the between-transaction time. That should be changed to what you stated: it's the maximum inter-event time within a transaction.
This is somewhat unrelated but how do you managed milliseconds in timestamps?
Post to this topic
You must be logged in to post a reply.