07_Splunk 9 Correlating Events with Transactions

 1 Course Overview

2 Understanding Transactions

2.1 Overview

2.2 What Are Transactions?

2.3 Demo: Setting up Your Splunk Environment

2.4 Demo: The Transaction Command

2.5 Identifying Transactions

2.6 Family of Correlation Searches

2.7 A Word of Caution

3 Using Transactions

3.1 Overview

3.2 Using Startswith and Endswith

3.3 Demo: Startswith and Endswith

3.4 Using Maxevents, Maxpause, and Maxspan

3.5 Using Rex to Extract Fields

3.6 Demo: Using Rex

3.7 Finding Unfinished Transactions

3.8 Demo: Finding Unfinished Transactions

4 Creating Reports and Dashboards from Transaction Results

4.1 Overview

4.2 Creating Reports

4.3 Creating Dashboards

4.4 Demo: Creating Reports

4.5 Demo: Creating Dashboards

5 Determining When to Use Transactions

5.1 Overview

5.2 Drawbacks of Transactions

5.3 Demo: Compare Transaction and Stats

5.4 Transaction vs. Join

5.5 When Transaction Is Not Possible

1. Course Overview

• Karun Subramanian – Splunk Certified Architect

https://docs.splunk.com/Documentation/SplunkCloud/latest/SearchReference/Transaction

• 

2. Understanding Transactions

1. Overview

2. What Are Transactions?

3. Demo: Setting up Your Splunk Environment

https://docs.splunk.com/Documentation/Splunk/9.2.0/SearchTutorial/Systemrequirements#Download_the_tutorial_data_files

https://docs.splunk.com/Documentation/Splunk/9.2.0/SearchTutorial/GetthetutorialdataintoSplunk

Download Prices.csv.zip, tutorialdata.zip files

Upload tutorialdata.zip

• With index = pluralsight – rest of the items are defualt

• Search

• In fast mode filelds are not automatically extracted.  But in smart, verbose mode fields are automatically extracted.

• So for transactions always we use Smart mode (verbose mode costly)

• Create App for our knowledge object

• ??? What is app and why we need even uploading file is available in search 

• Click Gear Icon > Click “Create app” 

• 

• - here no file choose to upload

• App “Globomantics” will be created

• 

• Logo should be in app/name/static folder

• 
  

4. Demo: The Transaction Command

JSESSIONID is generated by application server

5. Identifying Transactions

6. Family of Correlation Searches

7. A Word of Caution

3. Using Transactions

1. Overview

2. Using Startswith and Endswith

Within the transactions, the records will be in chronological order.

3. Demo: Startswith and Endswith

index="_internal" sourcetype=splunkd

index="_internal" sourcetype=splunkd 

| transaction startswith="Splunkd starting"

index="_internal" sourcetype=splunkd 

| transaction startswith="Splunkd starting" maxevents=20

4. Using Maxevents, Maxpause, and Maxspan

If 

5. Using Rex to Extract Fields

To extract the fileds from events in search time

Extract fields in index time also by using propos.conf, and index.conf file

6. Demo: Using Rex

RESPONSETIME field is created, then we can use this field

Create field for user name

7. Finding Unfinished Transactions

8. Demo: Finding Unfinished Transactions

Ordered something but not finished

4. Creating Reports and Dashboards from Transaction Results

1. Overview

2. Creating Reports

3. Creating Dashboards

4. Demo: Creating Reports

We can not see any SPL query in the dashboard.

Better choose cron expression.

5. Demo: Creating Dashboards

Add to dashboards

Export – schedule to deliver as PDF

5. Determining When to Use Transactions

1. Overview

2. Drawbacks of Transactions

In transaction duration automatically created but in stats we define

3. Demo: Compare Transaction and Stats

The same result we can get it from stats command

4. Transaction vs. Join

5. When Transaction Is Not Possible