The search defines the first event in the transaction as events that include the string, "view", using the startswith="view" argument. Sourcetype=access_* | transaction JSESSIONID clientip startswith="view" endswith="purchase" | where duration>0 This example defines a transaction as a group of events that have the same session ID, JSESSIONID, and come from the same IP address, clientip, and where the first event contains the string, "view", and the last event contains the string, "purchase". This example searches for transactions with the same session ID and IP address. Use the time range All time when you run the search. To try this example on your own Splunk instance, you must download the sample data and follow the instructions to get the tutorial data into Splunk. Transaction search example This example uses the sample data from the Search Tutorial but should work with any format of Apache web access log. To learn more, see Identify and group events into transactions in this manual. For example, an out of memory problem could trigger several database events to be logged, and they can all be grouped together into a transaction. One common use of a transaction search is to group multiple events into a single meta-event that represents a single physical event. Use the transaction command to define a transaction or override transaction options specified in nf. Any number of data sources can generate transactions over multiple log entries.Ī transaction search is useful for a single observation of any physical event stretching over multiple logged events. A transaction type is a configured transaction, saved as a field and used in conjunction with the transaction command.
Calculate end time splunk transaction series#
A transaction is any group of conceptually-related events that spans time, such as a series of events related to the online reservation of a hotel room by a single customer, or a set of events related to a firewall intrusion incident.
0 kommentar(er)
