![]() If I don't specify a maxspan for the transaction command the results aren't displayed until Splunk is finished gathering data within the timeframe specified for the search. Refer to the transaction command topic in the Search Reference Manual for more examples.I have noticed some weird behavior that I don't understand when using the transaction command. Sourcetype=access_combined | transaction clientip maxpause=5m maxspan=3h This search takes events from the access logs, and creates a transaction from events that share the same clientip value that occurred within 5 minutes of each other (within a 3 hour time span). Run a search that groups together all of the web pages a single user (or client IP address) looked at over a time range. eval bool expression: eval(distance/time is a valid eval expression that evaluates to a boolean.is a valid search expression that contains quotes.is a valid search expression that does not contain quotes.endswith=eval(speed_field is defined with the following syntax:.A search or eval-filtering expression which, if satisfied by an event, marks the end of a transaction.A search or eval-filtering expression which, if satisfied by an event, marks the beginning of a new transaction.If the value is negative, the maxspause constraint is disabled.Requires there be no pause between the events within the transaction greater than maxpause.Specifies the maximum pause between transactions.Defaults to maxspan=-1, for an "all time" timerange.Can be in seconds, minutes, hours or days.Set the maximum duration of one transaction.The only value supported currently is closest.Specify the matching type to use with a transaction definition.A search result that has no host value can be in a transaction with a result that has host=mylaptop.| transaction host, then a search result that has host=mylaptop can never be in the same transaction as a search result with host=myserver. Events with common field names and different values will not be grouped.If set, each event must have the same field(s) to be considered part of the same transaction.This is a comma-separated list of fields, such as.Sourcetype=access_* | transaction name=web_purchase maxevents=5 For example, if web_purchase, the transaction rule you're invoking, is configured with maxevents=10, but you'd like to run it with a different value for maxevents, add maxevents to the search string with the value you want: If other arguments are provided, they overule values specified for the same arguments in the transaction rule. Use this to invoke a transaction type that you have already configured for reuse. Specifies the name of a stanza from nf.Note: Some transaction options do not work in conjunction with others. For more information see the topic on the transaction command in the Search Reference manual.įollow the transaction command with the following options. For best search performance, craft your search and then pipe it to the transaction command. ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |