Finds transaction events within specified search constraints.
searchtxn <transaction-name> [max_terms=<int>] [use_disjunct=<bool>] [eventsonly=<bool>] <search-string>
- Syntax: <transactiontype>
- Description: The name of the
transactiontypestanza that is defined in
- Syntax: <string>
- Description: Terms to search for within the transaction events.
- Syntax: eventsonly=<bool>
- Description: If true, retrieves only the relevant events but does not run "| transaction" command. Defaults to false.
- Syntax: maxterms=<int>
- Description: Integer between 1-1000 which determines how many unique field values all fields can use. Using smaller values will speed up search, favoring more recent values. Defaults to 1000.
- Syntax: use_disjunct=<bool>
- Description: Determines if each term in SEARCH-STRING should be ORed on the initial search. Defaults to true.
Retrieves events matching the transaction type
transaction-name with events transitively discovered by the initial event constraint of the
For example, given an 'email' transactiontype with fields="qid pid" and with a search attribute of 'sourcetype="sendmail_syslog"', and a
search-string of "to=root", searchtxn will find all the events that match 'sourcetype="sendmail_syslog" to=root'.
From those results, all the qid's and pid's are transitively used to find further search for relevant events. When no more qid or pid values are found, the resulting search is run:
'sourcetype="sendmail_syslog" ((qid=val1 pid=val1) OR (qid=valn pid=valm) | transaction name=email | search to=root'
Example 1: Find all email transactions to root from David Smith.
| searchtxn email to=root from="David Smith"
Have questions? Visit Splunk Answers and see what questions and answers the Splunk community has using the searchtxn command.