Splunk® Enterprise

Search Reference

Download manual as PDF

NOTE - Splunk version 4.x reached its End of Life on October 1, 2013. Please see the migration information.
Download topic as PDF

searchtxn

Description

Efficiently returns transaction events that match a transaction type and contain specific text. If you have Splunk Cloud and want to define transaction types, file a Support ticket.

Syntax

| searchtxn <transaction-name> [max_terms=<int>] [use_disjunct=<bool>] [eventsonly=<bool>] <search-string>

Required arguments

<transaction-name>
Syntax: <transactiontype>
Description: The name of the transactiontype stanza that is defined in transactiontypes.conf.
<search-string>
Syntax: <string>
Description: Terms to search for within the transaction events.

Optional arguments

eventsonly
Syntax: eventsonly=<bool>
Description: If true, retrieves only the relevant events but does not run "| transaction" command.
Default: false
max_terms
Syntax: maxterms=<int>
Description: Integer between 1-1000 which determines how many unique field values all fields can use. Using smaller values speeds up search, favoring more recent values.
Default: 1000
use_disjunct
Syntax: use_disjunct=<bool>
Description: Specifies if each term in <search-string> should be processed as if separated by an OR operator on the initial search.
Default: true

Usage

The searchtxn command is a generating command and should be the first command in the search. Generating commands use a leading pipe character.

The command works only for transactions bound together by particular field values, not by ordering or time constraints.

Suppose you have a transactiontype stanza in the transactiontype.conf file called 'email'. The stanza contains the following settings.

  • fields="qid, pid"
  • sourcetype="sendmail_syslog"
  • The search-string "to=root"

The searchtxn command finds all of the events that match sourcetype="sendmail_syslog" to=root.

From those results, all fields that contain a qid or pid located are used to further search for relevant transaction events. When no additional qid or pid values are found, the resulting search is run:

sourcetype="sendmail_syslog" ((qid=val1 pid=val1) OR (qid=valn pid=valm) | transaction name=email | search to=root

Examples

Example 1:

Find all email transactions to root from David Smith.

| searchtxn email to=root from="David Smith"

See also

transaction

Answers

Have questions? Visit Splunk Answers and see what questions and answers the Splunk community has using the searchtxn command.

PREVIOUS
search
  NEXT
selfjoin

This documentation applies to the following versions of Splunk® Enterprise: 4.3, 4.3.1, 4.3.2, 4.3.3, 4.3.4, 4.3.5, 4.3.6, 4.3.7, 5.0, 5.0.1, 5.0.2, 5.0.3, 5.0.4, 5.0.5, 5.0.6, 5.0.7, 5.0.8, 5.0.9, 5.0.10, 5.0.11, 5.0.12, 5.0.13, 5.0.14, 5.0.15, 5.0.16, 5.0.17, 6.0, 6.0.1, 6.0.2, 6.0.3, 6.0.4, 6.0.5, 6.0.6, 6.0.7, 6.0.8, 6.0.9, 6.0.10, 6.0.11, 6.0.12, 6.0.13, 6.1, 6.1.1, 6.1.2, 6.1.3, 6.1.4, 6.1.5, 6.1.6, 6.1.7, 6.1.8, 6.1.9, 6.1.10, 6.1.11, 6.1.12, 6.2.0, 6.2.1, 6.2.2, 6.2.3, 6.2.4, 6.2.5, 6.2.6, 6.2.7, 6.2.8, 6.2.9, 6.2.10, 6.2.11, 6.2.12, 6.3.0, 6.3.1, 6.3.2, 6.3.3, 6.3.4, 6.3.5, 6.3.6, 6.3.7, 6.3.8, 6.4.0, 6.4.1, 6.4.2, 6.4.3, 6.4.4, 6.5.0, 6.5.1


Was this documentation topic helpful?

Enter your email address, and someone from the documentation team will respond to you:

Please provide your comments here. Ask a question or make a suggestion.

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters