Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

using the filename as a transaction id

krugger
Communicator
‎05-14-2013 07:48 AM

Hi,

I am trying to integrate into splunk a Java application that generates per session logfiles. So I have lots of independente files that have interesting lines like:

Task Param 3 2013-05-14 08:00:00 Server : farm01

... (useless lines) ...

Session Login 3 2013-05-04 08:45:22 Username: testuser, Login Status: Attempt, Session ID: Zgea*censored*, IP Address: 192.168.1.100

... ( more useless lines) ...

ObjMgr InvokeMethod 4 00003682516f22dc:0 2013-04-18 09:05:38 Begin: Service 'Web Engine Properties' invoke method: 'IsFrameless' at 15636ba6

... ( lots more of invoke method lines ) ...

How can I relate the invoke messages to the user that is doing the invoking. I do not have any field I can use to make the transaction feature work. However as the application creates a file for each of the sessions I can use the filename/source as a transaction id.

Is it possible to use the source/filename as the transaction id? Or is there a differente approach?

Tags (1)
0 Karma
Reply

yannK
Splunk Employee
Splunk Employee
‎05-14-2013 07:52 AM

yes you can.
* | transaction source

and if you want to extract the session from a part of the source, use a rex extraction to generate the field
example mypath/to/my/file/sessionnumber.log

* | rex field=source "blah/(<?session>\d+)\.log" | transaction session

Reply

yannK
Splunk Employee
Splunk Employee
‎05-14-2013 01:20 PM

If you have long events, transaction is not the solution.
Can you explicit what is your goal and why you think that you needed a transaction ?

0 Karma
Reply

Ayn
Legend
‎05-14-2013 12:59 PM

So what you're saying is that the filename can't be used after all either?

I think you need to formulate first of all what rule could be used for tying events together. After that it's just a matter of translating that to something in Splunk.

0 Karma
Reply

krugger
Communicator
‎05-14-2013 08:01 AM

The transaction doesn't allow for over 500 lines per transaction and the files have way too many lines. They are between 5Mb and over 100Mb.

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Design, Compete, Win: Submit Your Best Splunk Dashboards for a .conf26 Pass

Hello Splunkers,  We’re excited to kick off a Splunk Dashboard contest! We know that dashboards are a primary ...

May 2026 Splunk Expert Sessions: Security & Observability

Level Up Your Operations: May 2026 Splunk Expert Sessions Whether you are refining your security posture or ...

Network to App: Observability Unlocked [May & June Series]

In today’s digital landscape, your environment is no longer confined to the data center. It spans complex ...