Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Does the transaction command create an event id?

esalmon_splunk
Splunk Employee
Splunk Employee
‎07-30-2019 06:20 PM

I'm using the transaction command to correlate some searches, no I don't want to use stats, and its all split how I want but I've discovered what I thought was an individual id is in fact not but its still splitting correctly. Now I'm trying to figure out the avg duration per transacted event but what I was going to split it by is not individual to the transacted event. Does the transaction command produce a eventID per transacted event? Or will I need to make my own field for this?

0 Karma
Reply

woodcock
Esteemed Legend
‎07-30-2019 07:38 PM

You are experiencing why I tell everybody: DO NOT USE transaction. It does not scale and will fail silently and return partial events without telling you so. It is a nightmare. Start over and let us show you how to do it right with stats. Or ignore this warning and spin your wheels forever.

Reply

nareshinsvu
Builder
‎07-30-2019 07:09 PM

You have to make your own id/field for your requirement. transaction command takes your inputs and groups the events.

It only creates new fields like duration, closed_txn eventcount, evicted, linecount, timestartpos, timeendpos etc but not an identifier which you are after.

0 Karma
Reply

jacobpevans
Motivator
‎07-30-2019 06:35 PM

The transaction command creates two fields according to the documentation:

Additionally, the transaction command adds two fields to the raw events, duration and eventcount. The values in the duration field show the difference between the timestamps for the first and last events in the transaction. The values in the eventcount field show the number of events in the transaction.
It sounds like all you need for your purpose is the duration field that is created. If not, please post additional information such as the sample data you are seeing versus the sample data you would like to be generated.

Cheers,
Jacob

If you feel this response answered your question, please do not forget to mark it as such. If it did not, but you do have the answer, feel free to answer your own post and accept that as the answer.
0 Karma
Reply
Get Updates on the Splunk Community!

CX Day is Coming!

Customer Experience (CX) Day is on October 7th!! We're so excited to bring back another day full of wonderful ...

Strengthen Your Future: A Look Back at Splunk 10 Innovations and .conf25 Highlights!

The Big One: Splunk 10 is Here!  The moment many of you have been waiting for has arrived! We are thrilled to ...

Now Offering the AI Assistant Usage Dashboard in Cloud Monitoring Console

Today, we’re excited to announce the release of a brand new AI assistant usage dashboard in Cloud Monitoring ...