Splunk Transaction Command: A transaction is any gathering of adroitly related occasions that traverses time, for example, a progression of occasions identified with the online reservation of a lodging by a solitary client, or a bunch of occasions identified with a firewall interruption occurrence. A transaction type is an arranged transaction, saved as a field and utilized related to the transaction Command. Quite a few information sources can create transactions over numerous log passages.
A transaction search is useful for a single observation of any physical event stretching over multiple logged events. Use the transaction command to define a transaction or override transaction options specified in transactiontypes.conf.
One common use of a transaction search is to group multiple events into a single meta-event that represents a single physical event. For example, an out of memory problem could trigger several database events to be logged, and they can all be grouped together into a transaction.
To learn more, see Identify and group events into transactions in this manual.
Splunk Transaction search example
This model uses the example information from the Search Tutorial yet should work with any arrangement of Apache web access log. To give this model a shot your own Splunk example, you should download the example information and adhere to the directions to get the instructional exercise information into Splunk. Utilize the time range All time when you run the hunt.
This model looks for transactions with a similar meeting ID and IP address. This model characterizes a transaction collectively of occasions that have a similar meeting ID, JSESSIONID, and come from a similar IP address, clientip, and where the primary occasion contains the string, “view”, and the last occasion contains the string, “buy“.
The inquiry characterizes the primary occasion in the transaction as occasions that incorporate the string, “view”, utilizing the startswith=”view” contention. The endswith=”purchase” contention does likewise for the last occasion in the transaction.
This model then, at that point pipes the transactions into the where order and the length field to sift through the entirety of the transactions that took not exactly one moment to finish. The where channel can’t be applied before the transaction order on the grounds that the length field is added by the transaction order. The qualities in the length field show the distinction, right away, between the timestamps for the first and last occasions in the transaction.
