Splunk Enterprise

Search Reference

Download manual as PDF

NOTE - Splunk version 4.x reached its End of Life on October 1, 2013. Please see the migration information.



Finds specific transaction events within specified search constraints.

Efficiently retrieves transaction events matching the transaction type transaction-name that contain the text selected by search-string.

For example, given an 'email' transactiontype with fields="qid pid" and with a search attribute of 'sourcetype="sendmail_syslog"' and a search-string of "to=root", searchtxn finds all the events that match 'sourcetype="sendmail_syslog" to=root'.

From those results, all the qid's and pid's locatable by this constraint are then used to further search for relevant transaction events. When no more qid or pid values are found, the resulting search is run:

'sourcetype="sendmail_syslog" ((qid=val1 pid=val1) OR (qid=valn pid=valm) | transaction name=email | search to=root'

Note: searchtxn can only work for transactions bound together by particular field values, not by ordering or time constraints.


searchtxn <transaction-name> [max_terms=<int>] [use_disjunct=<bool>] [eventsonly=<bool>] <search-string>

Required arguments

Syntax: <transactiontype>
Description: The name of the transactiontype stanza that is defined in transactiontypes.conf.
Syntax: <string>
Description: Terms to search for within the transaction events.

Optional arguments

Syntax: eventsonly=<bool>
Description: If true, retrieves only the relevant events but does not run "| transaction" command.
Default: false
Syntax: maxterms=<int>
Description: Integer between 1-1000 which determines how many unique field values all fields can use. Using smaller values speeds up search, favoring more recent values.
Default: 1000
Syntax: use_disjunct=<bool>
Description: Determines if each term in SEARCH-STRING should be ORed on the initial search.
Default: true


Example 1:

Find all email transactions to root from David Smith.

| searchtxn email to=root from="David Smith"

See also



Have questions? Visit Splunk Answers and see what questions and answers the Splunk community has using the searchtxn command.


This documentation applies to the following versions of Splunk: 4.3, 4.3.1, 4.3.2, 4.3.3, 4.3.4, 4.3.5, 4.3.6, 4.3.7, 5.0, 5.0.1, 5.0.2, 5.0.3, 5.0.4, 5.0.5, 5.0.6, 5.0.7, 5.0.8, 5.0.9, 5.0.10, 5.0.11, 5.0.12, 5.0.13, 5.0.14, 6.0, 6.0.1, 6.0.2, 6.0.3, 6.0.4, 6.0.5, 6.0.6, 6.0.7, 6.0.8, 6.0.9, 6.0.10, 6.1, 6.1.1, 6.1.2, 6.1.3, 6.1.4, 6.1.5, 6.1.6, 6.1.7, 6.1.8, 6.1.9, 6.2.0, 6.2.1, 6.2.2, 6.2.3, 6.2.4, 6.2.5, 6.2.6, 6.3.0 View the Article History for its revisions.

Was this documentation topic helpful?

If you'd like to hear back from us, please provide your email address:

We'd love to hear what you think about this topic or the documentation as a whole
Feedback you enter here will be delivered to the documentation team

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters