Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Does the transaction command create an event id?

esalmon_splunk
Splunk Employee
Splunk Employee
‎07-30-2019 06:20 PM

I'm using the transaction command to correlate some searches, no I don't want to use stats, and its all split how I want but I've discovered what I thought was an individual id is in fact not but its still splitting correctly. Now I'm trying to figure out the avg duration per transacted event but what I was going to split it by is not individual to the transacted event. Does the transaction command produce a eventID per transacted event? Or will I need to make my own field for this?

0 Karma
Reply

woodcock
Esteemed Legend
‎07-30-2019 07:38 PM

You are experiencing why I tell everybody: DO NOT USE transaction. It does not scale and will fail silently and return partial events without telling you so. It is a nightmare. Start over and let us show you how to do it right with stats. Or ignore this warning and spin your wheels forever.

Reply

nareshinsvu
Builder
‎07-30-2019 07:09 PM

You have to make your own id/field for your requirement. transaction command takes your inputs and groups the events.

It only creates new fields like duration, closed_txn eventcount, evicted, linecount, timestartpos, timeendpos etc but not an identifier which you are after.

0 Karma
Reply

jacobpevans
Motivator
‎07-30-2019 06:35 PM

The transaction command creates two fields according to the documentation:

Additionally, the transaction command adds two fields to the raw events, duration and eventcount. The values in the duration field show the difference between the timestamps for the first and last events in the transaction. The values in the eventcount field show the number of events in the transaction.
It sounds like all you need for your purpose is the duration field that is created. If not, please post additional information such as the sample data you are seeing versus the sample data you would like to be generated.

Cheers,
Jacob

If you feel this response answered your question, please do not forget to mark it as such. If it did not, but you do have the answer, feel free to answer your own post and accept that as the answer.
0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Observability Cloud's AI Assistant in Action Series: Auditing Compliance and ...

This is the third post in the Splunk Observability Cloud’s AI Assistant in Action series that digs into how to ...

Splunk Community Badges!

  Hey everyone! Ready to earn some serious bragging rights in the community? Along with our existing badges ...

What You Read The Most: Splunk Lantern’s Most Popular Articles!

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...
li.common.scroll-to.top