Forums: SplunkPreview: Transaction Processor

This is a great feature to be added (I didn't find that the whole metaevents features was really that useful) but I'm still wondering how to do transitive events with it: I am supposed to be able to specify several fields like in metaevents but how should the fields be listed? Separating the fieldnames with commas certainly does not work.
'* | transam fields=id1, id2' for example, simply returns an error.

Sorry just bumping this up to see if you can answer my question. I still can't find anything in the documentation, explaining this.

Muptiple fields in transam/transaction seems not to work so well. I will let you know what I find out.

That's a bit disappointing as I thought that that was the main advantage of the transaction processor: to link several log files that might use different transaction ids.

I'll wait to hear from you. I was expecting it to be a syntax issue...

I was expecting it to be a syntax issue, too. However, transaction is still useful to group together transaction events in order to better see the flow of a unique id, ip, user, etc through your logs.

Any news on grouping log files with transam using several ids? So if files logA and logB use transactionid1 to identify a trade and files logB and logC use transactionid2 to identify the same trade, then by specifying the two ids, you can follow the transaction as it goes through logA, logB and logC (that was my understanding of what "transitive meta events" were).

From experience this is useful when several applications/teams identify the transaction in a different way.

Will this be "fixed" in a future release? As the documentation did seem to suggest that you can specify several ids, just as with metaevents.

You should be able to do this now by enclosing the fields in double quotes:

| transaction fields="id1, id2"