Splunk® Enterprise

Knowledge Manager Manual

Download manual as PDF

This documentation does not apply to the most recent version of Splunk. Click here for the latest version.
Download topic as PDF

Configure transaction types

Any series of events can be turned into a transaction type. Read more about use cases in "About transactions", in this manual.

You can create transaction types via transactiontypes.conf. See below for configuration details.

For more information on configuration files in general, see "About configuration files" in the Admin manual.

Configure transaction types in transactiontypes.conf

  1. Create a transactiontypes.conf file in $SPLUNK_HOME/etc/system/local/, or your own custom app directory in $SPLUNK_HOME/etc/apps/.
  2. Define transactions by creating a stanza and listing specifications for each transaction within its stanza. Use the following attributes:
  3. [<transactiontype>]
    maxspan =  [<integer> s|m|h|d|-1]
    maxpause = [<integer> s|m|h|d|-1]
    fields = <comma-separated list of fields>
    startswith = <transam-filter-string>


    • Create any number of transaction types, each represented by a stanza name and any number of the following attribute/value pairs.
    • Use the stanza name, [<TRANSACTIONTYPE>], to search for the transaction in Splunk Web.
    • If you do not specify an entry for each of the following attributes, Splunk Enterprise uses the default value.

    maxspan = [<integer> s|m|h|d|-1]

    • Set the maximum time span for the transaction.
    • Can be in seconds, minutes, hours or days, or set to -1 for unlimited.
      • For example: 5s, 6m, 12h or 30d.
    • Defaults to -1.

    maxpause = [<integer> s|m|h|d|-1]

    • Set the maximum pause between the events in a transaction.
    • Can be in seconds, minutes, hours or days, or set to -1 for unlimited.
      • For example: 5s, 6m, 12h or 30d.
    • Defaults to -1.

    maxevents = <integer>

    • The maximum number of events in a transaction. This constraint is disabled if the value is a negative integer.
    • Defaults to 1000.

    fields = <comma-separated list of fields>

    • If set, each event must have the same field(s) to be considered part of the same transaction.
      • For example: fields = host,cookie
    • Defaults to " ".

    connected= [true|false]

    • Relevant only if fields is not empty. Controls whether an event that is not inconsistent and not consistent with the fields of a transaction opens a new transaction (connected=true) or is added to the transaction.
    • An event can be not inconsistent and not consistent if it contains fields required by the transaction but none of these fields has been instantiated in the transaction (by a previous event addition).
    • Defaults to: connected = true

    startswith = <transam-filter-string>

    • A search or eval filtering expression which, if satisfied by an event, marks the beginning of a new transaction
    • For example:
      • startswith="login"
      • startswith=(username=foobar)
      • startswith=eval(speed_field < max_speed_field)
      • startswith=eval(speed_field < max_speed_field/12)
    • Defaults to: " ".


    • A search or eval filtering expression which if satisfied by an event marks the end of a transaction
    • For example:
      • endswith="logout"
      • endswith=(username=foobar)
      • endswith=eval(speed_field > max_speed_field)
      • endswith=eval(speed_field > max_speed_field/12)
    • Defaults to: " "

    For both startswith and endswith, <transam-filter-string> has the following syntax:

    "<search-expression>" | (<quoted-search-expression> | eval(<eval-expression>)


    • <search-expression> is a valid search expression that does not contain quotes.
    • <quoted-search-expression> is a valid search expression that contains quotes.
    • <eval-expression> is a valid eval expression that evaluates to a boolean. For example, startswith=eval(foo<bar*2) will match events where foo is less than 2 x bar.


    • "<search-expression>": startswith="foo bar"
    • <quoted-search-expression>: startswith=(name="foo bar")
    • <quoted-search-expression>: startswith=("search literal")
    • eval(<eval-expression>): eval(distance/time < max_speed)
  4. Use the transaction command in Splunk Web to call your defined transaction (by its transaction type name). You can override configuration specifics during search.

For more information about searching for transactions, see "Search for transactions" in this manual.

Additional transaction configuration attributes

transactions.conf includes a few more sets of attributes that are designed to handle situations such as multivalue fields and memory constraint issues.

Transaction options for memory constraint issues


  • Specifies the maximum number of not yet closed transactions to keep in the open pool before starting to evict transactions, using LRU (least-recently-used memory cache algorithm) policy.
  • The default value of this attribute is read from the transactions stanza in limits.conf.


  • Specifies the maximum number of events (which are) part of open transactions before transaction eviction starts happening, using LRU (least-recently-used memory cache algorithm) policy.
  • The default value of this attribute is read from the transactions stanza in limits.conf.


  • Whether to output evicted transactions. Evicted transactions can be distinguished from non-evicted transactions by checking the value of the evicted field, which is set to 1 for evicted transactions.
  • Defaults to keepevicted=false.

Transaction options for rendering multivalue fields


  • The mvlist attribute controls whether the multivalue fields of the transaction are (1) a list of the original events ordered in arrival order or (2) a set of unique field values ordered lexigraphically. If a comma- or space-delimited list of fields is provided, only those fields are rendered as lists.
  • Defaults to: mvlist=false.


  • A string used to delimit the original event values in the transaction event fields.
  • Defaults to: delim=" "


  • The string value to use when rendering missing field values as part of multivalue fields in a transaction.
  • This option applies only to fields that are rendered as lists.
  • Defaults to: nullstr=NULL
Search for transactions
About lookups

This documentation applies to the following versions of Splunk® Enterprise: 5.0, 5.0.1, 5.0.2, 5.0.3, 5.0.4, 5.0.5, 5.0.6, 5.0.7, 5.0.8, 5.0.9, 5.0.10, 5.0.11, 5.0.12, 5.0.13, 5.0.14, 5.0.15, 5.0.16, 5.0.17, 5.0.18, 6.0, 6.0.1, 6.0.2, 6.0.3, 6.0.4, 6.0.5, 6.0.6, 6.0.7, 6.0.8, 6.0.9, 6.0.10, 6.0.11, 6.0.12, 6.0.13, 6.0.14, 6.1, 6.1.1, 6.1.2, 6.1.3, 6.1.4, 6.1.5, 6.1.6, 6.1.7, 6.1.8, 6.1.9, 6.1.10, 6.1.11, 6.1.12, 6.1.13, 6.2.0, 6.2.1, 6.2.2, 6.2.3, 6.2.4, 6.2.5, 6.2.6, 6.2.7, 6.2.8, 6.2.9, 6.2.10, 6.2.11, 6.2.12, 6.2.13, 6.3.0, 6.3.1, 6.3.2, 6.3.3, 6.3.4, 6.3.5, 6.3.6, 6.3.7, 6.3.8, 6.3.9, 6.3.10, 6.3.11, 6.4.0, 6.4.1, 6.4.2, 6.4.3, 6.4.4, 6.4.5, 6.4.6, 6.4.7, 6.4.8, 6.5.0, 6.5.1, 6.5.1612 (Splunk Cloud only), 6.5.2, 6.5.3, 6.5.4, 6.6.0


Is there a way to search the middle of a transaction? I'd like to group firewall logs for RPC transactions, but only look at transactions that had a Deny in the middle.

October 17, 2014

Karthy, thanks for catching that. Looks like this topic got out of sync with transactions.conf over the last release or two. We've updated this topic so it better reflects what transactions.conf currently offers and will continue to keep an eye on it going forward.

Mness, Splunker
January 4, 2013

"exclusive" have been deprecated

December 17, 2012

Was this documentation topic helpful?

Enter your email address, and someone from the documentation team will respond to you:

Please provide your comments here. Ask a question or make a suggestion.

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters