Splunk Series II: Correlating Events

Introduction to Transactions

A transaction is a group of related events that span time. Events can come from multiple applications or hots.
For example, One email message can create multiple events as it travels through various queues, also visiting a single website normally generates multiple HTTP requests

Transaction field-list
can be one list field or a list of field names. Events are grouped into transactions based on the values of these fields. If multiple fields are specified and a relationship exists between those fields, events with a related field value are grouped into a single transaction.

Constraints are: –> maxspan, maxpause, startswith, endswith

UntitledImage

UntitledImage

Transaction Command Specific fields

Duration – the difference between the timestamp for the first and last event in the transaction
Eventcount – The number of events in the transaction

UntitledImage

* Transactions can be useful when a single event does not provide enough information. You can use statistics reporting commands with transactions.

UntitledImage

UntitledImage

Transactions vs Stats

* When you have a choice use stats, it is faster and more efficient, in large Splunk environments.
* Use transactions when you need events correlated together. Must define event grouping based on start/end values or segment on time
* Use stats when you want to see results of a calculation. It can group events based on a field value.
* By default the is a limit of 1000 events per transaction, no such limit applies to stats
* Admins can change the limit by configuring max_events_per_bucket in limits.cnf

UntitledImage

What is next?

Knowledge Objects

About the Author:

Andres Sarmiento, CCIE # 53520 (Collaboration)
With more than 15 years of experience, Andres is specialized in Unified Communications and Collaboration technologies. Consulted for several companies in South Florida, also Financial Institutions on behalf of Cisco Systems. Andres has been involved in high-profile implementations including Cisco technologies; such as Data Center, UC & Collaboration, Contact Center Express, Routing & Switching, Security and Hosted IPT Service provider infrastructures.

You can follow Andres using Twitter, LinkedIn or Facebook

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.