Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

what does connected mean in transaction

Ledion_Bitincka
Splunk Employee
Splunk Employee
‎02-11-2010 06:23 PM

explain the significance of the connected flag in transaction

Tags (1)
Reply
1 Solution
Solved! Jump to solution
Solution

Ledion_Bitincka
Splunk Employee
Splunk Employee
‎02-11-2010 06:24 PM

Here are two examples that explain how the connected flag affects transactions. Consider having these events in descending time order

event1 mid=1  
event2 foo_id=abc
event3 mid=1, foo_id=abc
event4 foo_id=abc

.... | transaction mid, foo_id

when using connected=true the following trasaction will be created: (event2 is not added because at the time it is processed we don't have an established transitive relationship between mid and foo_id)

event1 mid=1
event3 mid=1, foo_id=abc
event4 foo_id=abc

if connected=false the transaction would look like

event1 mid=1
event2 foo_id=abc
event3 mid=1, foo_id=abc
event4 foo_id=abc

connected=true means that before adding an event to a transaction the value of least one of the unifying fields must be present in at least one of the existing events in the transaction. connected=false means that an event can be added to a transaction eventhough a transitive relation is not established between the fields already seen in the transaction and the ones present in the event

Given that we see events in the reverse time order, there are some pretty good chances that we see the transitive relation established after (earlier in time) it can be useful to us. Consider the following stream of events 

time=1 action=login, user=foo
time=2 action=assing_id, user=foo, id=123
time=3 action=sendemail, id=123
time=4 action=drink beer, user=foo

is processed in splunk as follows: (so you can see that in connected=true "time=3 action=sendemail, id=123" will not be part of the transaction because it occurs before the transitive relationship betwen user and id is formed)

time=4 action=drink beer, user=foo
time=3 action=sendemail, id=123
time=2 action=assing_id, user=foo, id=123
time=1 action=login, user=foo

In 4.1 we do the right thing even when the transitive relationship is seen later - in pre 4.1 connected=false is the poor's man solution

View solution in original post

Reply
Solved! Jump to solution
Solution

Ledion_Bitincka
Splunk Employee
Splunk Employee
‎02-11-2010 06:24 PM

Here are two examples that explain how the connected flag affects transactions. Consider having these events in descending time order

event1 mid=1  
event2 foo_id=abc
event3 mid=1, foo_id=abc
event4 foo_id=abc

.... | transaction mid, foo_id

when using connected=true the following trasaction will be created: (event2 is not added because at the time it is processed we don't have an established transitive relationship between mid and foo_id)

event1 mid=1
event3 mid=1, foo_id=abc
event4 foo_id=abc

if connected=false the transaction would look like

event1 mid=1
event2 foo_id=abc
event3 mid=1, foo_id=abc
event4 foo_id=abc

connected=true means that before adding an event to a transaction the value of least one of the unifying fields must be present in at least one of the existing events in the transaction. connected=false means that an event can be added to a transaction eventhough a transitive relation is not established between the fields already seen in the transaction and the ones present in the event

Given that we see events in the reverse time order, there are some pretty good chances that we see the transitive relation established after (earlier in time) it can be useful to us. Consider the following stream of events 

time=1 action=login, user=foo
time=2 action=assing_id, user=foo, id=123
time=3 action=sendemail, id=123
time=4 action=drink beer, user=foo

is processed in splunk as follows: (so you can see that in connected=true "time=3 action=sendemail, id=123" will not be part of the transaction because it occurs before the transitive relationship betwen user and id is formed)

time=4 action=drink beer, user=foo
time=3 action=sendemail, id=123
time=2 action=assing_id, user=foo, id=123
time=1 action=login, user=foo

In 4.1 we do the right thing even when the transitive relationship is seen later - in pre 4.1 connected=false is the poor's man solution

Reply
Get Updates on the Splunk Community!

Join Us for Splunk University and Get Your Bootcamp Game On!

If you know, you know! Splunk University is the vibe this summer so register today for bootcamps galore ...

.conf24 | Learning Tracks for Security, Observability, Platform, and Developers!

.conf24 is taking place at The Venetian in Las Vegas from June 11 - 14. Continue reading to learn about the ...

Announcing Scheduled Export GA for Dashboard Studio

We're excited to announce the general availability of Scheduled Export for Dashboard Studio. Starting in ...