https://community.splunk.com/t5/Splunk-Search/Transaction-with-uri-and-referer-in-apache-access/m-p/141487#M39197 <P><CODE>transaction</CODE> does not work quite that way. The point of specifying more than one field to base the transaction on, is to allow it to span across different types of log, e.g.</P> <UL> <LI>logs from system_1 contains <CODE>fieldA=xxx fieldB=yyy</CODE></LI> <LI>logs from system_2 contains <CODE>fieldB=yyy fieldC=zzz</CODE></LI> <LI>logs from system_3 contains <CODE>fieldC=zzz fieldD=qqq</CODE></LI> </UL> <P>Then you can link it together with <CODE>transaction fieldB fieldC</CODE>. </P> <P>In your case you only have a single source of events, but the values on which you want to build your transaction moves between fields. It would be infinitely easier to use a session-id or similar.</P> <P>/K</P> Fri, 07 Feb 2014 08:44:27 GMT kristian_kolb 2014-02-07T08:44:27Z https://community.splunk.com/t5/Splunk-Search/Transaction-with-uri-and-referer-in-apache-access/m-p/141486#M39196 <P>Hi,<BR /> I have a Apache access log,for events in every transaction,the referer field of the second event will be the same as uri of the first event, which looks like this:</P> <P>clientip [timestamp] - - - GET uri1 ... referer1 ...</P> <P>clientip [timestamp] - - - GET uri2 ... referer2=uri1 ...</P> <P>clientip [timestamp] - - - GET uri3 ... referer3=uri2 ...</P> <P>Can I make a transaction based on clientip, uri, referer? </P> <P>Thanks,<BR /> Geoff</P> Fri, 07 Feb 2014 08:12:41 GMT https://community.splunk.com/t5/Splunk-Search/Transaction-with-uri-and-referer-in-apache-access/m-p/141486#M39196 geoff1 2014-02-07T08:12:41Z https://community.splunk.com/t5/Splunk-Search/Transaction-with-uri-and-referer-in-apache-access/m-p/141487#M39197 <P><CODE>transaction</CODE> does not work quite that way. The point of specifying more than one field to base the transaction on, is to allow it to span across different types of log, e.g.</P> <UL> <LI>logs from system_1 contains <CODE>fieldA=xxx fieldB=yyy</CODE></LI> <LI>logs from system_2 contains <CODE>fieldB=yyy fieldC=zzz</CODE></LI> <LI>logs from system_3 contains <CODE>fieldC=zzz fieldD=qqq</CODE></LI> </UL> <P>Then you can link it together with <CODE>transaction fieldB fieldC</CODE>. </P> <P>In your case you only have a single source of events, but the values on which you want to build your transaction moves between fields. It would be infinitely easier to use a session-id or similar.</P> <P>/K</P> Fri, 07 Feb 2014 08:44:27 GMT https://community.splunk.com/t5/Splunk-Search/Transaction-with-uri-and-referer-in-apache-access/m-p/141487#M39197 kristian_kolb 2014-02-07T08:44:27Z https://community.splunk.com/t5/Splunk-Search/Transaction-with-uri-and-referer-in-apache-access/m-p/141488#M39198 <P>Thanks Kolb. Yes I know if the events are in different sourcetypes, it could be eazier to correlate them. But I don't have a session-id in the access log now. Any other commands can get a similiar result as I want?</P> Fri, 07 Feb 2014 08:51:50 GMT https://community.splunk.com/t5/Splunk-Search/Transaction-with-uri-and-referer-in-apache-access/m-p/141488#M39198 geoff1 2014-02-07T08:51:50Z