Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to create a data model from a subset of all transactions?

spotter
New Member
‎04-30-2015 11:23 AM

Hi, I'm using splunk to provide some insights into our caching performance.

Across the entire set, I can easily do it by providing a constraint that will only match the cache hit/miss lines and extracting the "cacheresult" into the data model and graphing hits vs. misses.

That was easy. The harder part is how I do this for specific sets of transactions only.

i.e. I can do

sourcetype="gem" |transaction fields=request_id | search <transaction_type>

and this will give me only the transactions that match that transaction type

however, this can't be part of a constraint for data models, as data models can't have pipes, so I can't even build from there. Any idea on how to create a model from a subset of all transactions?

Tags (2)
0 Karma
Reply

aljohnson_splun
Splunk Employee
Splunk Employee
‎01-25-2016 11:28 AM
  • First, create an event object of sourcetype=gem.
  • Secondly, create a transaction object for your transaction.
  • Thirdly, create a child object of the transaction object to get your specific transaction type.

Here is a screenshot example, where my root event is web, then I've made a transaction object to group the web objects by clientip, and lastly, added a child object to the transaction object to search for transaction_type=foo, which in your case, could be whatever you need for ``:

alt text

And actually, data objects in data models can have pipes, however, they need to be search objects (which can include transforming commands). Please read more about the object types and their limitations / requirements here.

Please be aware that search objects and transaction objects do not benefit from data model acceleration.

Preview file
1 KB
0 Karma
Reply

delink
Communicator
‎01-25-2016 10:05 AM

I also have a situation where I want to relate a set of events together into a meta-event, then apply the CIM Authentication data model to that meta-event. It does not seem to be currently possible though.

0 Karma
Reply
Get Updates on the Splunk Community!

Welcome to the Splunk Community!

(view in My Videos) We're so glad you're here! The Splunk Community is place to connect, learn, give back, and ...

Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM

Elevating Digital Service Excellence: The Synergy of Real User Monitoring and Application Performance ...

Adoption of RUM and APM at Splunk

    Unleash the power of Splunk Observability   Watch Now In this can't miss Tech Talk! The Splunk Growth ...