Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to configure transaction

lain179
Communicator
‎11-09-2012 10:36 AM

I have user login/out logs to parse. The goal is to get the information on

  • Active sessions (i.e. no logout time) by server
  • Total logins over certain period of time by server
  • Login duration by server

The log files look like

2012-11-08 16:20:02 Start login for user 'ABCDEFG', profile: 'default', session: 'SESSION68811278'.  SERVERNAME

2012-11-08 16:29:10 Log out session 'SESSION68811278'. SERVERNAME

How do I set up transactions for them? Please don't just give me a link to read because I have already read it and I don't get it.

http://docs.splunk.com/Documentation/Splunk/5.0/Knowledge/Searchfortransactions

Thanks.

Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

sdaniels
Splunk Employee
Splunk Employee
‎11-09-2012 11:53 AM

Assuming you have the data coming into Splunk properly you'll first want to extract out the relevant fields. This wizard will help generate the required regular expression for you. That way you can now have a field called 'session'.

http://docs.splunk.com/Documentation/Splunk/5.0/Knowledge/ExtractfieldsinteractivelywithIFX

Then you can simply create a search that creates your transaction using session in this case, it could be a different value or multiple fields as well:

search | transaction session

This will automatically create larger transaction events and a duration field for the time. Given your needs above, once you get to this step we can create several searches to match the transactions by session or server name etc...

If you don't have the data configured in Splunk yet you'll want to start here. It's pretty straightforward.

http://docs.splunk.com/Documentation/Splunk/5.0/Data/Setupcustominputs

View solution in original post

Reply
Solved! Jump to solution
Solution

sdaniels
Splunk Employee
Splunk Employee
‎11-09-2012 11:53 AM

Assuming you have the data coming into Splunk properly you'll first want to extract out the relevant fields. This wizard will help generate the required regular expression for you. That way you can now have a field called 'session'.

http://docs.splunk.com/Documentation/Splunk/5.0/Knowledge/ExtractfieldsinteractivelywithIFX

Then you can simply create a search that creates your transaction using session in this case, it could be a different value or multiple fields as well:

search | transaction session

This will automatically create larger transaction events and a duration field for the time. Given your needs above, once you get to this step we can create several searches to match the transactions by session or server name etc...

If you don't have the data configured in Splunk yet you'll want to start here. It's pretty straightforward.

http://docs.splunk.com/Documentation/Splunk/5.0/Data/Setupcustominputs

Reply
Solved! Jump to solution

lain179
Communicator
‎11-09-2012 01:55 PM

Hmm....I didn't think the video would have helped, but it did 🙂

I got the idea on how to apply to my usage now. Thank you.

0 Karma
Reply
Solved! Jump to solution

sdaniels
Splunk Employee
Splunk Employee
‎11-09-2012 12:36 PM

Ok. I think this video (5 mins) will help. It's a different use case but you'll see exactly what it does, how the data will look and why. Let me know your thoughts.

http://www.splunk.com/view/SP-CAAAG9X

0 Karma
Reply
Solved! Jump to solution

lain179
Communicator
‎11-09-2012 12:18 PM

Hi, thanks for responding.

I have already set up field extraction. LoginDate, LogoutDate, UserID, Profile, UserSession, and ServerName. I know how to get what I need using stats and chart, but I want to learn about transaction.

I still don't get your example of

| transaction session

0 Karma
Reply
Get Updates on the Splunk Community!

How to Monitor Google Kubernetes Engine (GKE)

We’ve looked at how to integrate Kubernetes environments with Splunk Observability Cloud, but what about ...

Index This | How can you make 45 using only 4?

October 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with this ...

Splunk Education Goes to Washington | Splunk GovSummit 2024

If you’re in the Washington, D.C. area, this is your opportunity to take your career and Splunk skills to the ...