We are using a transaction to group web access events the Client IP and another field we extract (essentially filename, which is the entire "*.flv" at the end of the URL below). The transaction command looks like this
index=cdnmanager sourcetype=squid Node_Type="Edge" | fields Provider Client_IP | transaction Provider,Client_IP maxspan=3h maxpause=10s | where duration > 5
When we run this against some test data, we are getting a transaction whose duration is 10.464 seconds. The actual events are as shown here in output from the transaction command:
[10/Apr/2011:17:58:42.374+0000] 2524302 24.13.123.82 TCP_HIT/200 736284 GET http://se01-area4-il-chicago.se.cim-cim-prog.cdn2.comcast.net/fanEntertainment/686/61/2011-02-12t063... video/x-flv
[10/Apr/2011:17:58:53.020+0000] 2536012 24.13.123.82 TCP_IMS_HIT/206 448342 GET http://se01-area4-il-chicago.se.cim-cim-prog.cdn2.comcast.net/fanEntertainment/686/61/2011-02-12t063... video/x-flv
If you take the delta between the timestamps you get 10.646, which is exactly what Splunk reports as the 'duration' field. These events meet the Client IP/Filename grouping criteria, but exceed the specified maxpause value - why is Splunk combining these into a transaction? If it's simply not that granular about the time that's fine, we just need to understand how it's dealing with all the settings so we know what results to expect in various configurations.
