In this post, I’ll show you how to use Splunk’s Transaction search, with several powerful examples.
In the latest releases, we have search-time discovery of transactions, with the new transaction search command. Transaction collapses a set of events that belong to a transaction into a single event. You can specify the parameters as arguments to the transam operator right in the search, or you can refer to a named-transaction definition in transactiontypes.conf. A few simple examples will give you an idea of some things you can do.
- get events with ‘http’, and group any search results into “bursts” of events, grouping any events that occur within two seconds of each other into the same transaction event. [Note: there is an implied “search” command at the head of all searches, so “http” is really “search http”.]
http | transaction maxpause=2s
http | transaction host,cookie maxspan=30s maxpause=30s
sendmail | transaction uid startswith="eventtype=login" endswith="eventtype=logout" maxspan=10m maxpause=10m
http | transaaction email_transaction
root login NOT fail* | localize maxspan=1m maxpause=1m | map search="search starttimeu=$starttime$ endtimeu=$endtimeu$ | transaction session | search password change"