Learning, learning, learning . . . Our Splunk "expert" is gone, and the non-programmer gets to learn the task! How do you spell SPLUNK?
The dojo of Splunk. Learn, share, teach, mentor.
Videos
Latest Activity
Michael Wilde commented on Michael Wilde's video
Sure... When you do group mapping, map them to groups that don't have the domain admins in them. I have a separate OU=Groups that has "Splunk Users, Splunk Admins, Splunk Power Users" as group names, and specific users…
Mike Hartford commented on Michael Wilde's video
I want to give LDAP access to my splunk servcie but I don't want the LDAP users to have admin capabilitys in Splunk. Can I keep the domain admins out of Splunk if I have LDAP authentication???
Mike Hartford left a comment for Jonathan Hawes
Helow Jonathan,
Glad to have another Splunker. I've been useing Splunk for 2 years and am hooked. I leared how to spell splunk and | transaction too. you'll learn that one soon.
Go over to Splunk…
Mike Hartford commented on Mike Hartford's blog post 'tees for the holy day'
Holy Batskins Ninja, zzzzzwap zgruppp kapow a hidden stash, how great is that!!!!
The team that found them must have special bat senses and highly tooned Splunking skills
I like to wear Extra Lovable…
Applied Splunk: Transaction Search Operator - Linking Events Together
The "|transaction" command is a powerful search operator that allows the linkage of events together in to one large "meta-event". Most commonly, events can be linked together by fields they have in common. (Sendmail messages are linked by their "Queue ID, or qid") In sendmail logs, using the transaction search operator allows an entire mail conversation to be linked together in a single event; resulting in a nice packet of information for each mail message that a mail admin can better work with.
Sometimes, it is not the fields that the events have in common, but it is a beginning of a conversation, followed by some measure of events, followed by what we might consider "the end" of that conversation.
Example: Ping.
The Transaction" command has syntax that accomodates a "startswith" and "endswith" syntax. In 3.4.x this does not mean the beginning event has "some text" in it and the ending event has "some other text" in it. The "startswith" and "endswith" options need the information about an eventtype--the name, for example.
Getting started, lets create eventtypes for the beginning and ending eventtypes. Often using the "punct::" field (which defines and event's actual punctuation) is a great way to make eventtypes. In this case, the beginning event will have hostnames and IP's in them which will result in two different punctuations. Since eventtypes are really just a search, we can construct one that finds just the first event, and other for the ending event.
In this example, a search for "ping statistics" is good enough. Save as eventtype (search menu) -- call it "begin-ping".
For the ending event, it looks as if we search for "packets transmitted", all ending events will match. Save as eventtype -- call it "end-ping". You get it... right?
Hard work. Complete.
Run your search command: "source="/users/thewilde/downloads/csv_export.csv" | transaction startswith="eventtype='begin-ping'" endswith="eventtype='end-ping'" maxpause=-1 maxspan=-1" [ the maxpause=-1 and maxspan=-1 tells splunk to continue building the transaction until the end is discovered. These options normally have time ranges attached to them, like 1d, 1h, 10s. I want to override any defaults and control Splunk's exact behavior. ]
Result:
WARNING: the "startswith" and "endswith" syntax use SQLite-style operators, so make sure you have the double and single quotes proper.
Look closely: startwith-"(double quote)eventtype=(single quote)'begin-ping(single quote)'(double quote)"
Our result is -- each ping conversation identified as a transaction. **Bonus: The Transaction command calculates a "duration" field in "number of seconds". (Select the 'duration') field with Splunk's field picker.
Sexy time:
I also extracted a field i called "ping-host" so i could run a report on "transaction duration in seconds over time, split by ping-host".
Sweet, eh?
Syntax for Transaction search operator in Splunk Documentation
Sometimes, it is not the fields that the events have in common, but it is a beginning of a conversation, followed by some measure of events, followed by what we might consider "the end" of that conversation.
Example: Ping.
The Transaction" command has syntax that accomodates a "startswith" and "endswith" syntax. In 3.4.x this does not mean the beginning event has "some text" in it and the ending event has "some other text" in it. The "startswith" and "endswith" options need the information about an eventtype--the name, for example.
Getting started, lets create eventtypes for the beginning and ending eventtypes. Often using the "punct::" field (which defines and event's actual punctuation) is a great way to make eventtypes. In this case, the beginning event will have hostnames and IP's in them which will result in two different punctuations. Since eventtypes are really just a search, we can construct one that finds just the first event, and other for the ending event.
In this example, a search for "ping statistics" is good enough. Save as eventtype (search menu) -- call it "begin-ping".
For the ending event, it looks as if we search for "packets transmitted", all ending events will match. Save as eventtype -- call it "end-ping". You get it... right?
Hard work. Complete.
Run your search command: "source="/users/thewilde/downloads/csv_export.csv" | transaction startswith="eventtype='begin-ping'" endswith="eventtype='end-ping'" maxpause=-1 maxspan=-1" [ the maxpause=-1 and maxspan=-1 tells splunk to continue building the transaction until the end is discovered. These options normally have time ranges attached to them, like 1d, 1h, 10s. I want to override any defaults and control Splunk's exact behavior. ]
Result:
WARNING: the "startswith" and "endswith" syntax use SQLite-style operators, so make sure you have the double and single quotes proper.
Look closely: startwith-"(double quote)eventtype=(single quote)'begin-ping(single quote)'(double quote)"
Our result is -- each ping conversation identified as a transaction. **Bonus: The Transaction command calculates a "duration" field in "number of seconds". (Select the 'duration') field with Splunk's field picker.
Sexy time:
I also extracted a field i called "ping-host" so i could run a report on "transaction duration in seconds over time, split by ping-host".
Sweet, eh?
Syntax for Transaction search operator in Splunk Documentation
Views: 194
Comment
© 2012 Created by Michael Wilde.
You need to be a member of splunkninja to add comments!
Join splunkninja