Transactions refer to a “unit of work” or “grouped information” that someone is treating as a perhaps “logical” data point or singular target. Transactions are made up of multiple events or actions and, may mean something entirely different when looked at as a group than if examined one by one or each at a time.
Using either Splunk Web or its command line interface, you can search for and identify what it is referred t as “related raw events” and group them into “one single event”, which you can then denote as “a single Splunk transaction”.
These events can be linked together by fields they have in common. In addition, transactions can be saved as transactional types for later reuse.
Your Splunk transactions can include:
- Different events from the same source/same host.
- Different events from different sources/same host.
- Similar events from different hosts/different sources.
Some Conceptual Examples
To help understand the power of Splunk transactional searches, let’s consider a few conceptual examples for its use:
- A certain server error triggers several events to be logged
- All events that occur within a precise time frame
- Events that share the same host or cookie value
- Password change attempts, that occurred near where there were unsuccessful logins.
- All of the web addresses a particular IP address viewed, over a time range
To use Splunk transactions, you can either call a transaction type (that you configured via the Splunk configuration file: transactiontypes.conf), or define transaction constraints within your search (by setting the search options of the transaction command).
Here is the transaction command syntax:
transaction [<field-list>] [name=<transaction-name>] <txn_definition-opt>* <memcontrol-opt>* <rendering-opt>*
Splunk Transactions are made up of 2 key required arguments: a field name (or list of field names delimited by a comma) and your name for the transaction, and several other optional arguments.
Field Name/List
The field list will be a string value made up of 1 or more field names that you want Splunk to use the values of for grouping events into transactions.
Transaction Name
This will be the ID (name) that your transaction will be referred to or, the name of a transaction type from transactiontypes.conf.
Optional Arguments
If other configuration arguments (such as maxspan) are provided in your Splunk search, they overrule the values of that parameter that is specified in the transaction definition (within the transactiontypes.conf file). If those parameters are not specified in the file, Splunk will use the default value.
Here is an example
A simple example of a Splunk transaction might be to define a transaction that groups Cognos TM1 ERRORS that appear in a message log that have the same value for the field “date_month” (in other words errors that occur in the same month) and with a maximum span of 90 seconds into a transaction:
sourcetype=tm1* ERROR | transaction date_month maxspan=90s
As always, never stop learning…