Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Does the transaction command create an event id?

esalmon_splunk
Splunk Employee
Splunk Employee
‎07-30-2019 06:20 PM

I'm using the transaction command to correlate some searches, no I don't want to use stats, and its all split how I want but I've discovered what I thought was an individual id is in fact not but its still splitting correctly. Now I'm trying to figure out the avg duration per transacted event but what I was going to split it by is not individual to the transacted event. Does the transaction command produce a eventID per transacted event? Or will I need to make my own field for this?

0 Karma
Reply

woodcock
Esteemed Legend
‎07-30-2019 07:38 PM

You are experiencing why I tell everybody: DO NOT USE transaction. It does not scale and will fail silently and return partial events without telling you so. It is a nightmare. Start over and let us show you how to do it right with stats. Or ignore this warning and spin your wheels forever.

Reply

nareshinsvu
Builder
‎07-30-2019 07:09 PM

You have to make your own id/field for your requirement. transaction command takes your inputs and groups the events.

It only creates new fields like duration, closed_txn eventcount, evicted, linecount, timestartpos, timeendpos etc but not an identifier which you are after.

0 Karma
Reply

jacobpevans
Motivator
‎07-30-2019 06:35 PM

The transaction command creates two fields according to the documentation:

Additionally, the transaction command adds two fields to the raw events, duration and eventcount. The values in the duration field show the difference between the timestamps for the first and last events in the transaction. The values in the eventcount field show the number of events in the transaction.
It sounds like all you need for your purpose is the duration field that is created. If not, please post additional information such as the sample data you are seeing versus the sample data you would like to be generated.

Cheers,
Jacob

If you feel this response answered your question, please do not forget to mark it as such. If it did not, but you do have the answer, feel free to answer your own post and accept that as the answer.
0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Decoded: Service Maps vs Service Analyzer Tree View vs Flow Maps

It’s Monday morning, and your phone is buzzing with alert escalations – your customer-facing portal is running ...

What’s New in Splunk Observability – September 2025

What's NewWe are excited to announce the latest enhancements to Splunk Observability, designed to help ITOps ...

Fun with Regular Expression - multiples of nine

Fun with Regular Expression - multiples of nineThis challenge was first posted on Slack #regex channel ...