Splunk Search

Creating a parameterized transaction search

Justin_Grant
Contributor

Our office has a specific TRANSACTION search we do frequently to track all events related to a particular user. The search is always the same except for the user ID, which the Splunk user copies in from an email.

What's the best way to store the search so that I can quickly call it from the search bar but plug in the Session ID I want to restrict results to?

I guess I could use a macro and stick a | WHERE after it, but I was wondering if there was a more proper/efficient or proper way to do it.

I see there's a "transaction type" feautre I can use-- is this the right solution?

I also know I can do a Form Search but in this case we want to use the "plain" search bar.

0 Karma
1 Solution

gkanapathy
Splunk Employee
Splunk Employee

You can use transactiontypes, but I suggest you use saved searches. You don't have to use them with form searches, but you can easily convert this:

sourcetype=blah sessionid=$sessid$ | transaction startswith="blah" endswith="yadda" fields=sessionid

And invoke it with:

| savedsearch "Name you saved it under" sessid="id123456" 

View solution in original post

gkanapathy
Splunk Employee
Splunk Employee

You can use transactiontypes, but I suggest you use saved searches. You don't have to use them with form searches, but you can easily convert this:

sourcetype=blah sessionid=$sessid$ | transaction startswith="blah" endswith="yadda" fields=sessionid

And invoke it with:

| savedsearch "Name you saved it under" sessid="id123456" 

gkanapathy
Splunk Employee
Splunk Employee

Seems redudundant to me, and there's such a thing as over-abstraction. If you're not using the same transaction type in lots of different places, there isn't any point. You've already got the transaction defined in the saved search. Why make it harder to edit?

0 Karma

Justin_Grant
Contributor

as usual, great answer! out of curiosity, why are transaction types not recommended in this scenario?

0 Karma

Glenn
Builder

A Form search definitely sounds like what you are a looking for...

What is the reason you want to use the "plain" search bar rather than a form search? If it is because of the way that the simple form search displays its results, then you can get around this. The simple form search results page also does not meet my requirements, and I prefer the flashtimeline view, so I built an advanced form search which redirects to the flashtimeline view, with the "plain" search bar at the top now filled out with the actual search syntax (passed from the form search).

If this sounds like what you are after, let me know and I'll explain further how to do it.

Justin_Grant
Contributor

Hi Glenn, mostly I'm trying to avoid the complexity of having a separate view just for this. Want to keep things simple. But I like your idea of redirection. Want to post this as an example on Splunkbase.com?

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...