https://community.splunk.com/t5/Splunk-Search/using-the-filename-as-a-transaction-id/m-p/32891#M6924 <P>yes you can.<BR /> <CODE>* | transaction source</CODE></P> <P>and if you want to extract the session from a part of the source, use a rex extraction to generate the field<BR /> example mypath/to/my/file/sessionnumber.log</P> <P><CODE>* | rex field=source "blah/(&lt;?session&gt;\d+)\.log" | transaction session</CODE></P> Tue, 14 May 2013 14:52:31 GMT yannK 2013-05-14T14:52:31Z https://community.splunk.com/t5/Splunk-Search/using-the-filename-as-a-transaction-id/m-p/32890#M6923 <P>Hi,</P> <P>I am trying to integrate into splunk a Java application that generates per session logfiles. So I have lots of independente files that have interesting lines like:</P> <P>Task Param 3 2013-05-14 08:00:00 Server : farm01</P> <P>... (useless lines) ...</P> <P>Session Login 3 2013-05-04 08:45:22 Username: testuser, Login Status: Attempt, Session ID: Zgea*censored*, IP Address: 192.168.1.100</P> <P>... ( more useless lines) ...</P> <P>ObjMgr InvokeMethod 4 00003682516f22dc:0 2013-04-18 09:05:38 Begin: Service 'Web Engine Properties' invoke method: 'IsFrameless' at 15636ba6</P> <P>... ( lots more of invoke method lines ) ...</P> <P>How can I relate the invoke messages to the user that is doing the invoking. I do not have any field I can use to make the transaction feature work. However as the application creates a file for each of the sessions I can use the filename/source as a transaction id.</P> <P>Is it possible to use the source/filename as the transaction id? Or is there a differente approach?</P> Mon, 28 Sep 2020 13:53:43 GMT https://community.splunk.com/t5/Splunk-Search/using-the-filename-as-a-transaction-id/m-p/32890#M6923 krugger 2020-09-28T13:53:43Z https://community.splunk.com/t5/Splunk-Search/using-the-filename-as-a-transaction-id/m-p/32891#M6924 <P>yes you can.<BR /> <CODE>* | transaction source</CODE></P> <P>and if you want to extract the session from a part of the source, use a rex extraction to generate the field<BR /> example mypath/to/my/file/sessionnumber.log</P> <P><CODE>* | rex field=source "blah/(&lt;?session&gt;\d+)\.log" | transaction session</CODE></P> Tue, 14 May 2013 14:52:31 GMT https://community.splunk.com/t5/Splunk-Search/using-the-filename-as-a-transaction-id/m-p/32891#M6924 yannK 2013-05-14T14:52:31Z https://community.splunk.com/t5/Splunk-Search/using-the-filename-as-a-transaction-id/m-p/32892#M6925 <P>The transaction doesn't allow for over 500 lines per transaction and the files have way too many lines. They are between 5Mb and over 100Mb.</P> Tue, 14 May 2013 15:01:08 GMT https://community.splunk.com/t5/Splunk-Search/using-the-filename-as-a-transaction-id/m-p/32892#M6925 krugger 2013-05-14T15:01:08Z https://community.splunk.com/t5/Splunk-Search/using-the-filename-as-a-transaction-id/m-p/32893#M6926 <P>So what you're saying is that the filename can't be used after all either?</P> <P>I think you need to formulate first of all what rule could be used for tying events together. After that it's just a matter of translating that to something in Splunk.</P> Tue, 14 May 2013 19:59:30 GMT https://community.splunk.com/t5/Splunk-Search/using-the-filename-as-a-transaction-id/m-p/32893#M6926 Ayn 2013-05-14T19:59:30Z https://community.splunk.com/t5/Splunk-Search/using-the-filename-as-a-transaction-id/m-p/32894#M6927 <P>If you have long events, transaction is not the solution. <BR /> Can you explicit what is your goal and why you think that you needed a transaction ?</P> Tue, 14 May 2013 20:20:13 GMT https://community.splunk.com/t5/Splunk-Search/using-the-filename-as-a-transaction-id/m-p/32894#M6927 yannK 2013-05-14T20:20:13Z