Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Creating a parameterized transaction search

Justin_Grant
Contributor
‎03-15-2010 06:13 AM

Our office has a specific TRANSACTION search we do frequently to track all events related to a particular user. The search is always the same except for the user ID, which the Splunk user copies in from an email.

What's the best way to store the search so that I can quickly call it from the search bar but plug in the Session ID I want to restrict results to?

I guess I could use a macro and stick a | WHERE after it, but I was wondering if there was a more proper/efficient or proper way to do it.

I see there's a "transaction type" feautre I can use-- is this the right solution?

I also know I can do a Form Search but in this case we want to use the "plain" search bar.

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

gkanapathy
Splunk Employee
Splunk Employee
‎03-16-2010 01:46 AM

You can use transactiontypes, but I suggest you use saved searches. You don't have to use them with form searches, but you can easily convert this:

sourcetype=blah sessionid=$sessid$ | transaction startswith="blah" endswith="yadda" fields=sessionid

And invoke it with:

| savedsearch "Name you saved it under" sessid="id123456"

View solution in original post

Reply
Solved! Jump to solution
Solution

gkanapathy
Splunk Employee
Splunk Employee
‎03-16-2010 01:46 AM

You can use transactiontypes, but I suggest you use saved searches. You don't have to use them with form searches, but you can easily convert this:

sourcetype=blah sessionid=$sessid$ | transaction startswith="blah" endswith="yadda" fields=sessionid

And invoke it with:

| savedsearch "Name you saved it under" sessid="id123456"
Reply
Solved! Jump to solution

gkanapathy
Splunk Employee
Splunk Employee
‎03-16-2010 06:09 PM

Seems redudundant to me, and there's such a thing as over-abstraction. If you're not using the same transaction type in lots of different places, there isn't any point. You've already got the transaction defined in the saved search. Why make it harder to edit?

0 Karma
Reply
Solved! Jump to solution

Justin_Grant
Contributor
‎03-16-2010 06:02 PM

as usual, great answer! out of curiosity, why are transaction types not recommended in this scenario?

0 Karma
Reply
Solved! Jump to solution

Glenn
Builder
‎03-15-2010 01:30 PM

A Form search definitely sounds like what you are a looking for...

What is the reason you want to use the "plain" search bar rather than a form search? If it is because of the way that the simple form search displays its results, then you can get around this. The simple form search results page also does not meet my requirements, and I prefer the flashtimeline view, so I built an advanced form search which redirects to the flashtimeline view, with the "plain" search bar at the top now filled out with the actual search syntax (passed from the form search).

If this sounds like what you are after, let me know and I'll explain further how to do it.

Reply
Solved! Jump to solution

Justin_Grant
Contributor
‎03-16-2010 06:08 PM

Hi Glenn, mostly I'm trying to avoid the complexity of having a separate view just for this. Want to keep things simple. But I like your idea of redirection. Want to post this as an example on Splunkbase.com?

0 Karma
Reply
Get Updates on the Splunk Community!

Earn a $35 Gift Card for Answering our Splunk Admins & App Developer Survey

Survey for Splunk Admins and App Developers is open now! | Earn a $35 gift card!      Hello there,  Splunk ...

Continuing Innovation & New Integrations Unlock Full Stack Observability For Your ...

You’ve probably heard the latest about AppDynamics joining the Splunk Observability portfolio, deepening our ...

Monitoring Amazon Elastic Kubernetes Service (EKS)

As we’ve seen, integrating Kubernetes environments with Splunk Observability Cloud is a quick and easy way to ...