The transaction command in splunk finds transactions based on events that meet various constraints. Transactions are made up of the raw text (the _raw field) of each member, the time and date fields of the earliest member, as well as the union of all other fields of each member
• Additionally, the transaction command in splunk adds two fields to the raw events, duration and eventcount.
• The values in the duration field show the difference between the timestamps for the first and last events in the transaction.
• The values in the eventcount field show the number of events in the transaction.
• Example
1. Transactions with the same Type
If we apply the transaction command on field “Type” the transaction command automatically adds two fields i.e duration and eventcount. Event grouped into transaction based on the values of “Type”.
2. Transaction command with maxevent
We used maxevent=10 with transaction command so it limits the each transaction with maximum 10 events only
3. Calculate duration based on “startwith” and “endwith” of event.
A search filtering the event starts with string ”Start collecting” and end with “End collecting” . Create the transaction which beginning with start collecting and ends with End collecting. “duration” and “eventcount” are fields which gets created while using transaction command.
A feedback would be greatly appreciated. Please ask your questions in comment section. Happy Splunking > 😉