In this post, I’ll show you how to use Splunk’s Transaction search, with several powerful examples.

In the latest releases, we have search-time discovery of transactions, with the new transaction search command. Transaction collapses a set of events that belong to a transaction into a single event. You can specify the parameters as arguments to the transam operator right in the search, or you can refer to a named-transaction definition in transactiontypes.conf. A few simple examples will give you an idea of some things you can do.

• get events with ‘http’, and group any search results into “bursts” of events, grouping any events that occur within two seconds of each other into the same transaction event. [Note: there is an implied "search" command at the head of all searches, so "http" is really "search http".]

http | transaction maxpause=2s

• get events with ‘http’, and collapse those that share the same host and cookie value, that occur within 30 seconds:

http | transaction fields=host,cookie maxspan=30s maxpause=30s

• get events with ’sendmail’, and collapse those that have the same userid, between a login and a logout, that occur within 10 minutes:

sendmail | transaction fields=uid startswith="eventtype=login" endswith="eventtype=logout" maxspan=10m maxpause=10m

• get events with ‘http’, and then find transactions as defined by email_transaction found in transactions.conf:

http | transaaction email_transaction

• Find transactions that change a password, near where there were unsuccessful root logins. To break it down — search for unsuccessful root logins, find time ranges around those root logins, find transactions in those those regions, and finally look for password changes in the transaction.

  root login NOT fail*
  | localize maxspan=1m maxpause=1m
  | map search="search starttimeu=$starttime$ endtimeu=$endtimeu$
  | transaction session |  search password change"