Knowledge management
As mentioned, you can define or create Splunk transactional types for later use by yourself or for other Splunk users by utilizing the transactiontypes.conf file. A lot of thought should go into a Splunk knowledge management strategy. You will find more on this topic later in this book, but for now, here are the basics you can use to define some Splunk transactions:
- If it doesn't already exist, you can use a text editor to create a
transactiontypes.conffile in$SPLUNK_HOME/etc/system/local/or your own custom app directory in$SPLUNK_HOME/etc/apps/. - Next, define transactions using the following arguments:
[<transactiontype>] maxspan = [<integer> s|m|h|d|-1] maxpause = [<integer> s|m|h|d|-1] fields = <comma-separated list of fields> startswith = <transam-filter-string> endswith=<transam-filter-string>
Let's discover the functions of the code terms in the preceding example:
transactiontype: This is the name of the transaction typemaxspan: This sets the maximum time span for the transactionmaxpause: This sets the maximum pause between events in a transactionmaxevents: This sets the maximum number of events in a transactionfields: This is a comma-separated list of fieldsstartswith: This marks the beginning of a new transactionendswith: This marks the end of a transaction
For example, I can edit the Splunk transactiontypes.conf file to include a new Splunk transactional type named TM1-2. This tag can be used to look for the possibilities that a TM1 admin server was shut down and restarted (or restarted and then shut down) within a one-hour time span and the events occurred no longer than 15 minutes between each other.
For ever after or until the Splunk transactiontypes.conf file is changed, this transaction can be searched by typing the following:
sourcetype=tm1* | transaction TM1-2
Some working examples
Here is an example of knowledge management:
http | transaction maxpause=2s
Results will be all the transactions defined as events with the string http in them that occurred within two seconds of each other. Consider the following:
sourcetype=access_* | transaction clientip maxspan=30s maxpause=5s
This defines a transaction based on web access events that share the same IP address. The first and last events in the transaction should be no more than 30 seconds apart, and each event should not be longer than 5 seconds apart. Consider the following:
... | transaction from maxspan=90s maxpause=5s
This defines a transaction that groups search results that have the same value of from, with a maximum span of 90 seconds, and a pause between events no greater than 5 seconds into a transaction.