https://community.splunk.com/t5/Splunk-Search/How-to-configure-transaction/m-p/29431#M5938 <P>Assuming you have the data coming into Splunk properly you'll first want to extract out the relevant fields. This wizard will help generate the required regular expression for you. That way you can now have a field called 'session'.</P> <P><A href="http://docs.splunk.com/Documentation/Splunk/5.0/Knowledge/ExtractfieldsinteractivelywithIFX">http://docs.splunk.com/Documentation/Splunk/5.0/Knowledge/ExtractfieldsinteractivelywithIFX</A></P> <P>Then you can simply create a search that creates your transaction using session in this case, it could be a different value or multiple fields as well:</P> <P>search | transaction session</P> <P>This will automatically create larger transaction events and a duration field for the time. Given your needs above, once you get to this step we can create several searches to match the transactions by session or server name etc...</P> <P>If you don't have the data configured in Splunk yet you'll want to start here. It's pretty straightforward. </P> <P><A href="http://docs.splunk.com/Documentation/Splunk/5.0/Data/Setupcustominputs">http://docs.splunk.com/Documentation/Splunk/5.0/Data/Setupcustominputs</A></P> Fri, 09 Nov 2012 19:53:54 GMT sdaniels 2012-11-09T19:53:54Z https://community.splunk.com/t5/Splunk-Search/How-to-configure-transaction/m-p/29430#M5937 <P>I have user login/out logs to parse. The goal is to get the information on</P> <UL> <LI>Active sessions (i.e. no logout time) by server</LI> <LI>Total logins over certain period of time by server</LI> <LI>Login duration by server</LI> </UL> <P>The log files look like</P> <PRE> 2012-11-08 16:20:02 Start login for user 'ABCDEFG', profile: 'default', session: 'SESSION68811278'. SERVERNAME 2012-11-08 16:29:10 Log out session 'SESSION68811278'. SERVERNAME </PRE> <P>How do I set up transactions for them? Please don't just give me a link to read because I have already read it and I don't get it.</P> <P><A href="http://docs.splunk.com/Documentation/Splunk/5.0/Knowledge/Searchfortransactions">http://docs.splunk.com/Documentation/Splunk/5.0/Knowledge/Searchfortransactions</A></P> <P>Thanks.</P> Fri, 09 Nov 2012 18:36:38 GMT https://community.splunk.com/t5/Splunk-Search/How-to-configure-transaction/m-p/29430#M5937 lain179 2012-11-09T18:36:38Z https://community.splunk.com/t5/Splunk-Search/How-to-configure-transaction/m-p/29431#M5938 <P>Assuming you have the data coming into Splunk properly you'll first want to extract out the relevant fields. This wizard will help generate the required regular expression for you. That way you can now have a field called 'session'.</P> <P><A href="http://docs.splunk.com/Documentation/Splunk/5.0/Knowledge/ExtractfieldsinteractivelywithIFX">http://docs.splunk.com/Documentation/Splunk/5.0/Knowledge/ExtractfieldsinteractivelywithIFX</A></P> <P>Then you can simply create a search that creates your transaction using session in this case, it could be a different value or multiple fields as well:</P> <P>search | transaction session</P> <P>This will automatically create larger transaction events and a duration field for the time. Given your needs above, once you get to this step we can create several searches to match the transactions by session or server name etc...</P> <P>If you don't have the data configured in Splunk yet you'll want to start here. It's pretty straightforward. </P> <P><A href="http://docs.splunk.com/Documentation/Splunk/5.0/Data/Setupcustominputs">http://docs.splunk.com/Documentation/Splunk/5.0/Data/Setupcustominputs</A></P> Fri, 09 Nov 2012 19:53:54 GMT https://community.splunk.com/t5/Splunk-Search/How-to-configure-transaction/m-p/29431#M5938 sdaniels 2012-11-09T19:53:54Z https://community.splunk.com/t5/Splunk-Search/How-to-configure-transaction/m-p/29432#M5939 <P>Hi, thanks for responding.</P> <P>I have already set up field extraction. LoginDate, LogoutDate, UserID, Profile, UserSession, and ServerName. I know how to get what I need using stats and chart, but I want to learn about transaction.</P> <P>I still don't get your example of</P> <P><YOUR search=""> | transaction session</YOUR></P> Fri, 09 Nov 2012 20:18:09 GMT https://community.splunk.com/t5/Splunk-Search/How-to-configure-transaction/m-p/29432#M5939 lain179 2012-11-09T20:18:09Z https://community.splunk.com/t5/Splunk-Search/How-to-configure-transaction/m-p/29433#M5940 <P>Ok. I think this video (5 mins) will help. It's a different use case but you'll see exactly what it does, how the data will look and why. Let me know your thoughts.</P> <P><A href="http://www.splunk.com/view/SP-CAAAG9X">http://www.splunk.com/view/SP-CAAAG9X</A></P> Fri, 09 Nov 2012 20:36:52 GMT https://community.splunk.com/t5/Splunk-Search/How-to-configure-transaction/m-p/29433#M5940 sdaniels 2012-11-09T20:36:52Z https://community.splunk.com/t5/Splunk-Search/How-to-configure-transaction/m-p/29434#M5941 <P>Hmm....I didn't think the video would have helped, but it did <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span></P> <P>I got the idea on how to apply to my usage now. Thank you.</P> Fri, 09 Nov 2012 21:55:27 GMT https://community.splunk.com/t5/Splunk-Search/How-to-configure-transaction/m-p/29434#M5941 lain179 2012-11-09T21:55:27Z