Splunk Enterprise Fundamental Part2 Module3

一、Course Content

  • Identify transactions
  • Group events using fields
  • Group events using fields and time
  • Search with transactions
  • Report on transactions
  • Determine when to use transactions vs. stats


2.1.Search with transactions

sourcetype=access_* | transaction JSESSIONID clientip startswith="view" endswith="purchase" | where duration>0

The where filter cannot be applied before the transaction command because the duration field is added by the transaction command
The transaction command is most useful in two specific cases:

  • When a unique ID (from one or more fields) alone is not sufficient to discriminate between two transactions
  • When it is desirable to see the raw text of the events combined rather than an analysis on the constituent fields of the events
    compute the statistics on the duration of trades identified by the unique ID trade_id
... | transaction trade_id | chart count by duration span=log2

you can get the same result with using next search

... | stats range(_time) as duration by trade_id | chart count by duration span=log2

If however, the trade_id values are reused but each trade ends with some text, such as "END", the only solution is to use this transaction search

... | transaction trade_id endswith=END | chart count by duration span=log2

if trade_id values are reused, but not within a 10 minute duration

... | transaction trade_id maxpause=10m | chart count by duration span=log2

2.2.Identify and group events into transactions

Transactions can include:

  • Different events from the same source and the same host
  • Different events from different sources from the same host
  • Similar events from different hosts and different sources

Transactions returned at search time consist of the raw text of each event, the shared event types, and the field values. Transactions also have additional data that is stored in the fields: duration and transactiontype

  • duration
    contains the duration of the transaction (the difference between the timestamps of the first and last events of the transaction)
  • transactiontype
    is the name of the transaction (as defined in transactiontypes.conf by the transaction's stanza name)
  • name=<transaction-name>
    sourcetype=access_* | transaction name=web_purchase maxevents=5
  • [field-list]
    ...| transaction host,cookie
  • maxspan
    Set the maximum duration of one transaction
  • maxpause
    Specifies the maximum pause between transactions
  • startswith=<string>
    marks the beginning of a new transaction
startswith=eval(speed_field < max_speed_field)
  • endswith=<transam-filter-string>
    marks the end of a transaction


sourcetype=access_* | transaction clientip maxpause=5m maxspan=3h