Splunk Search

How to configure transaction

lain179
Communicator

I have user login/out logs to parse. The goal is to get the information on

  • Active sessions (i.e. no logout time) by server
  • Total logins over certain period of time by server
  • Login duration by server

The log files look like

2012-11-08 16:20:02 Start login for user 'ABCDEFG', profile: 'default', session: 'SESSION68811278'.  SERVERNAME

2012-11-08 16:29:10 Log out session 'SESSION68811278'. SERVERNAME

How do I set up transactions for them? Please don't just give me a link to read because I have already read it and I don't get it.

http://docs.splunk.com/Documentation/Splunk/5.0/Knowledge/Searchfortransactions

Thanks.

Tags (1)
0 Karma
1 Solution

sdaniels
Splunk Employee
Splunk Employee

Assuming you have the data coming into Splunk properly you'll first want to extract out the relevant fields. This wizard will help generate the required regular expression for you. That way you can now have a field called 'session'.

http://docs.splunk.com/Documentation/Splunk/5.0/Knowledge/ExtractfieldsinteractivelywithIFX

Then you can simply create a search that creates your transaction using session in this case, it could be a different value or multiple fields as well:

search | transaction session

This will automatically create larger transaction events and a duration field for the time. Given your needs above, once you get to this step we can create several searches to match the transactions by session or server name etc...

If you don't have the data configured in Splunk yet you'll want to start here. It's pretty straightforward.

http://docs.splunk.com/Documentation/Splunk/5.0/Data/Setupcustominputs

View solution in original post

sdaniels
Splunk Employee
Splunk Employee

Assuming you have the data coming into Splunk properly you'll first want to extract out the relevant fields. This wizard will help generate the required regular expression for you. That way you can now have a field called 'session'.

http://docs.splunk.com/Documentation/Splunk/5.0/Knowledge/ExtractfieldsinteractivelywithIFX

Then you can simply create a search that creates your transaction using session in this case, it could be a different value or multiple fields as well:

search | transaction session

This will automatically create larger transaction events and a duration field for the time. Given your needs above, once you get to this step we can create several searches to match the transactions by session or server name etc...

If you don't have the data configured in Splunk yet you'll want to start here. It's pretty straightforward.

http://docs.splunk.com/Documentation/Splunk/5.0/Data/Setupcustominputs

View solution in original post

lain179
Communicator

Hmm....I didn't think the video would have helped, but it did 🙂

I got the idea on how to apply to my usage now. Thank you.

0 Karma

sdaniels
Splunk Employee
Splunk Employee

Ok. I think this video (5 mins) will help. It's a different use case but you'll see exactly what it does, how the data will look and why. Let me know your thoughts.

http://www.splunk.com/view/SP-CAAAG9X

0 Karma

lain179
Communicator

Hi, thanks for responding.

I have already set up field extraction. LoginDate, LogoutDate, UserID, Profile, UserSession, and ServerName. I know how to get what I need using stats and chart, but I want to learn about transaction.

I still don't get your example of

| transaction session

0 Karma
Did you miss .conf21 Virtual?

Good news! The event's keynotes and many of its breakout sessions are now available online, and still totally FREE!