The Chronosphere • Room 1

The Transaction Command

The **transaction** command groups multiple events into a single logical event based on common fields (like a session ID).

You can define the boundaries of a transaction using `startswith` and `endswith` strings, or physical time constraints like `maxspan` (maximum total duration) and `maxpause` (max gap between events).

Grouping a Login Session

index=web | transaction session_id startswith="login" endswith="logout" maxspan=2h

Knowledge Check

Prove your understanding to clear the room (Rewards XP)

Write a transaction command grouping by "ticket_id" with a maximum span of "24h".

Splunk Search Bar