Search Reference



NOTE - Splunk version 4.x reached its End of Life on October 1, 2013. Please see the migration information.



Finds transaction events within specified search constraints.


searchtxn <transaction-name> [max_terms=<int>] [use_disjunct=<bool>] [eventsonly=<bool>] <search-string>

Required arguments

Syntax: <transactiontype>
Description: The name of the transactiontype stanza that is defined in transactiontypes.conf.
Syntax: <string>
Description: Terms to search for within the transaction events.

Optional arguments

Syntax: eventsonly=<bool>
Description: If true, retrieves only the relevant events but does not run "| transaction" command. Defaults to false.
Syntax: maxterms=<int>
Description: Integer between 1-1000 which determines how many unique field values all fields can use. Using smaller values will speed up search, favoring more recent values. Defaults to 1000.
Syntax: use_disjunct=<bool>
Description: Determines if each term in SEARCH-STRING should be ORed on the initial search. Defaults to true.


Retrieves events matching the transaction type transaction-name with events transitively discovered by the initial event constraint of the search-string.

For example, given an 'email' transactiontype with fields="qid pid" and with a search attribute of 'sourcetype="sendmail_syslog"', and a search-string of "to=root", searchtxn will find all the events that match 'sourcetype="sendmail_syslog" to=root'.

From those results, all the qid's and pid's are transitively used to find further search for relevant events. When no more qid or pid values are found, the resulting search is run:

'sourcetype="sendmail_syslog" ((qid=val1 pid=val1) OR (qid=valn pid=valm) | transaction name=email | search to=root'


Example 1: Find all email transactions to root from David Smith.

| searchtxn email to=root from="David Smith"

See also



Have questions? Visit Splunk Answers and see what questions and answers the Splunk community has using the searchtxn command.

This documentation applies to the following versions of Splunk: 4.3 , 4.3.1 , 4.3.2 , 4.3.3 , 4.3.4 , 4.3.5 , 4.3.6 , 4.3.7 , 5.0 , 5.0.1 , 5.0.2 , 5.0.3 , 5.0.4 , 5.0.5 , 5.0.6 , 5.0.7 , 5.0.8 , 5.0.9 , 5.0.10 , 5.0.11 , 6.0 , 6.0.1 , 6.0.2 , 6.0.3 , 6.0.4 , 6.0.5 , 6.0.6 , 6.0.7 , 6.1 , 6.1.1 , 6.1.2 , 6.1.3 , 6.1.4 , 6.1.5 , 6.2.0 View the Article History for its revisions.

You must be logged into in order to post comments. Log in now.

Was this documentation topic helpful?

If you'd like to hear back from us, please provide your email address:

We'd love to hear what you think about this topic or the documentation as a whole. Feedback you enter here will be delivered to the documentation team.

Feedback submitted, thanks!