searchtxn

searchtxn

Synopsis

Finds transaction events within specified search constraints.

Syntax

searchtxn <transaction-name> [max_terms=<int>] [use_disjunct=<bool>] [eventsonly=<bool>] <search-string>

Required arguments

<transaction-name>

Syntax: <transactiontype>

Description: The name of the transactiontype stanza that is defined in transactiontypes.conf.

<search-string>

Syntax: <string>

Description: Terms to search for within the transaction events.

Optional arguments

eventsonly

Syntax: eventsonly=<bool>

Description: If true, retrieves only the relevant events but does not run "| transaction" command. Defaults to false.

max_terms

Syntax: maxterms=<int>

Description: Integer between 1-1000 which determines how many unique field values all fields can use. Using smaller values will speed up search, favoring more recent values. Defaults to 1000.

use_disjunct

Syntax: use_disjunct=<bool>

Description: Determines if each term in SEARCH-STRING should be ORed on the initial search. Defaults to true.

Description

Retrieves events matching the transaction type transaction-name with events transitively discovered by the initial event constraint of the search-string.

For example, given an 'email' transactiontype with fields="qid pid" and with a search attribute of 'sourcetype="sendmail_syslog"', and a search-string of "to=root", searchtxn will find all the events that match 'sourcetype="sendmail_syslog" to=root'.

From those results, all the qid's and pid's are transitively used to find further search for relevant events. When no more qid or pid values are found, the resulting search is run:

'sourcetype="sendmail_syslog" ((qid=val1 pid=val1) OR (qid=valn pid=valm) | transaction name=email | search to=root'

Examples

Example 1: Find all email transactions to root from David Smith.

See also

transaction

Answers

Have questions? Visit Splunk Answers and see what questions and answers the Splunk community has using the searchtxn command.

• Was this topic useful?
• Post a comment