NOTE: Use transaction when you need to see events correlated together and also must define event grouping based on start / end values. Description The transaction command finds transactions based on events that meet various constraints. In your case, you need to use the last shown example. Startswith=action="addtocart" endswith=action="purchase" Transaction command: startswith / endswith : To form transactions based on terms, field values or evaluations, use startswith & endswith optionsĮxample: the first event in the transaction includes addtocart & the last event includes purchase index=* sourcetype=access* | transaction clientip \ With the transaction command, we can also use tables to easily view the information that we want: index=* | transaction SESSIONID | table SESSIONID, action, product_name Index=index_name sourcetype=some-source-type | transaction SESSIONID If a quoted list of fields is specified, events are grouped together if they have the same value for each of the fieldsĬommon constraints maxspan | maxpause | maxevetns | startswith | endswith The events are grouped into transactions based on the values of this field list Syntax of transaction command transaction * In Splunk, the Summary Index specifies a default Splunk index used to store data retrieved from scheduled searches over time. Visiting a single website normally generates multiple http requests.Each event in the network traffic logs represents a single user generating a single http request.One email message can create multiple events as it travels through various queues.Events related to single purchase from an online store can span across an application server, database, and e-commerce engine.Events can come from multiple applications or hosts.A transaction is any group of related events that span time.
Let me brief on Splunk transaction command: The way of using transaction is different.
0 kommentar(er)
