Grok’n Your Transactions – A Meta-Events How-To with Splunk

One of the coolest (and there are a lot of cool things about Splunk) things you can do with Splunk is mapping a transaction. Many times, what some consider a “transaction” may be the linkage between events often by multiple common factors. At Interop 2007 in Las Vegas this year, the network management team used Splunk to very simply see the entire set of DHCP events (or transaction) — why? When you hop on a network and get an IP address for your computer, four events actually occur, a DHCP Discover, Offer, Request, Acknowledge. Those four events occurring for your machine/computer/MAC address confirm that you got on the network and are as happy as a clam–hopefully.

In Splunk, we can easily link all four of those events (or the lack thereof) together in a “meta-event”, or an “event of events”. Using meta-events, we can create a whole new category of “success/failure” checking by using the combination of those events to focus on and isolate a user’s activity amongst everything else that’s going on.

I’ve featured Splunk 3.0 in this video, however these same techniques can be done in Splunk 2.2 with some slight modifications to the syntax.

No “funny SplunkNinja episode” here, I had to whip it out much quicker than a SplunkNinja video–but don’t worry, ninja’s in the dojo, workin on more media for you. In the mean time, check this out this quick How-To (there is video and audio as usual):making-meta-events-PLAY.png

Blogged with Flock

Tags: ,

Michael Wilde

Posted by