Splunk

Splunk Enterprise Fundamental Part2 Module3

一、Course Content

  • Identify transactions
  • Group events using fields
  • Group events using fields and time
  • Search with transactions
  • Report on transactions
  • Determine when to use transactions vs. stats

二、Start

2.1.Search with transactions

sourcetype=access_* | transaction JSESSIONID clientip startswith="view" endswith="purchase" | where duration>0

07165
The where filter cannot be applied before the transaction command because the duration field is added by the transaction command
The transaction command is most useful in two specific cases:

  • When a unique ID (from one or more fields) alone is not sufficient to discriminate between two transactions
  • When it is desirable to see the raw text of the events combined rather than an analysis on the constituent fields of the events
    compute the statistics on the duration of trades identified by the unique ID trade_id
... | transaction trade_id | chart count by duration span=log2

you can get the same result with using next search

... | stats range(_time) as duration by trade_id | chart count by duration span=log2

If however, the trade_id values are reused but each trade ends with some text, such as "END", the only solution is to use this transaction search

... | transaction trade_id endswith=END | chart count by duration span=log2

if trade_id values are reused, but not within a 10 minute duration

... | transaction trade_id maxpause=10m | chart count by duration span=log2

2.2.Identify and group events into transactions

Transactions can include:

  • Different events from the same source and the same host
  • Different events from different sources from the same host
  • Similar events from different hosts and different sources

Transactions returned at search time consist of the raw text of each event, the shared event types, and the field values. Transactions also have additional data that is stored in the fields: duration and transactiontype

  • duration
    contains the duration of the transaction (the difference between the timestamps of the first and last events of the transaction)
  • transactiontype
    is the name of the transaction (as defined in transactiontypes.conf by the transaction's stanza name)
    Options:
  • name=<transaction-name>
    sourcetype=access_* | transaction name=web_purchase maxevents=5
  • [field-list]
    ...| transaction host,cookie
  • maxspan
    Set the maximum duration of one transaction
  • maxpause
    Specifies the maximum pause between transactions
  • startswith=<string>
    marks the beginning of a new transaction
    example:
startswith="login"
startswith=(username=foobar)
startswith=eval(speed_field < max_speed_field)
  • endswith=<transam-filter-string>
    marks the end of a transaction
    example:
endswith="logout"
endswith=(username=foobar)

Example:

sourcetype=access_* | transaction clientip maxpause=5m maxspan=3h
支付宝扫码打赏 微信打赏

若你觉得我的文章对你有帮助,欢迎点击上方按钮对我打赏

扫描二维码,分享此文章

linuxwt's Picture
linuxwt

我叫王腾,来自武汉,2016年毕业后在上海做了一年helpdesk,自学了linux后回武汉从事系统运维的工作,从2017年开始写博客记录自己的学习工作,现在正在进行数据迁移到此博客,目前就职于北京神州新桥科技有限公司,个人的座右铭是:逃脱舒适区才能在闲暇的时候惬意的玩耍。

武汉光谷 https://linuxwt.com

Subscribe to 今晚打老虎

Get the latest posts delivered right to your inbox.

or subscribe via RSS with Feedly!

Comments