
searchtxn
Description
Efficiently returns transaction events that match a transaction type and contain specific text. If you have Splunk Cloud and want to define transaction types, file a Support ticket.
Syntax
| searchtxn <transaction-name> [max_terms=<int>] [use_disjunct=<bool>] [eventsonly=<bool>] <search-string>
Required arguments
- <transaction-name>
- Syntax: <transactiontype>
- Description: The name of the transaction type stanza that is defined in
transactiontypes.conf
.
- <search-string>
- Syntax: <string>
- Description: Terms to search for within the transaction events.
Optional arguments
- eventsonly
- Syntax: eventsonly=<bool>
- Description: If true, retrieves only the relevant events but does not run "| transaction" command.
- Default: false
- max_terms
- Syntax: maxterms=<int>
- Description: Integer between 1-1000 which determines how many unique field values all fields can use. Using smaller values speeds up search, favoring more recent values.
- Default: 1000
- use_disjunct
- Syntax: use_disjunct=<bool>
- Description: Specifies if each term in <search-string> should be processed as if separated by an OR operator on the initial search.
- Default: true
Usage
The searchtxn
command is an event-generating command. See Command types.
Generating commands use a leading pipe character and should be the first command in a search.
Transactions
The command works only for transactions bound together by particular field values, not by ordering or time constraints.
Suppose you have a <transactiontype>
stanza in the transactiontypes.conf.in
file called "email". The stanza contains the following settings.
- fields=qid, pid
- search=sourcetype=sendmail_syslog to=root
The searchtxn
command finds all of the events that match sourcetype="sendmail_syslog" to=root
.
From those results, all fields that contain a qid or pid located are used to further search for relevant transaction events. When no additional qid or pid values are found, the resulting search is run:
sourcetype="sendmail_syslog" ((qid=val1 pid=val1) OR (qid=valn pid=valm) | transaction name=email | search to=root
Examples
Example 1:
Find all email transactions to root from David Smith.
| searchtxn email to=root from="David Smith"
See also
PREVIOUS search |
NEXT selfjoin |
This documentation applies to the following versions of Splunk® Enterprise: 6.3.0, 6.3.2, 6.3.3, 6.3.4, 6.3.5, 6.3.6, 6.3.7, 6.3.8, 6.3.9, 6.3.10, 6.3.11, 6.3.12, 6.3.13, 6.3.14, 6.4.0, 6.4.1, 6.4.2, 6.4.3, 6.4.4, 6.4.5, 6.4.6, 6.4.7, 6.4.8, 6.4.9, 6.4.10, 6.4.11, 6.5.0, 6.5.1, 6.5.2, 6.5.3, 6.5.4, 6.5.5, 6.5.6, 6.5.7, 6.5.8, 6.5.9, 6.5.10, 6.6.0, 6.6.1, 6.6.2, 6.6.3, 6.6.4, 6.6.5, 6.6.6, 6.6.7, 6.6.8, 6.6.9, 6.6.10, 6.6.11, 6.6.12, 7.0.0, 7.0.1, 7.0.3, 7.0.10, 7.0.13, 6.3.1, 7.0.6, 7.0.7, 7.0.8, 7.0.9, 7.0.11, 7.1.0, 7.1.1, 7.1.2, 7.1.3, 7.1.4, 7.1.5, 7.1.6, 7.1.7, 7.1.8, 7.1.9, 7.1.10, 7.2.0, 7.2.1, 7.2.2, 7.2.3, 7.2.4, 7.2.5, 7.2.6, 7.2.7, 7.2.8, 7.2.9, 7.2.10, 7.3.0, 7.3.1, 7.3.2, 7.3.3, 7.3.4, 7.3.5, 7.3.6, 7.3.7, 7.3.8, 8.0.0, 8.0.1, 8.0.2, 8.0.3, 8.0.4, 8.0.5, 8.0.6, 8.0.7, 8.0.8, 8.1.0, 8.1.1, 7.0.2, 7.0.4, 7.0.5
Feedback submitted, thanks!