Related Answers
Download topic as PDF
searchtxn
Description
Efficiently returns transaction events that match a transaction type and contain specific text. If you have Splunk Cloud and want to define transaction types, file a Support ticket.
Syntax
| searchtxn <transaction-name> [max_terms=<int>] [use_disjunct=<bool>] [eventsonly=<bool>] <search-string>
Required arguments
- <transaction-name>
- Syntax: <transactiontype>
- Description: The name of the transaction type stanza that is defined in
transactiontypes.conf.
- <search-string>
- Syntax: <string>
- Description: Terms to search for within the transaction events.
Optional arguments
- eventsonly
- Syntax: eventsonly=<bool>
- Description: If true, retrieves only the relevant events but does not run "| transaction" command.
- Default: false
- max_terms
- Syntax: maxterms=<int>
- Description: Integer between 1-1000 which determines how many unique field values all fields can use. Using smaller values speeds up search, favoring more recent values.
- Default: 1000
- use_disjunct
- Syntax: use_disjunct=<bool>
- Description: Specifies if each term in <search-string> should be processed as if separated by an OR operator on the initial search.
- Default: true
Usage
The searchtxn command is an event-generating command. See Command types.
Generating commands use a leading pipe character and should be the first command in a search.
Transactions
The command works only for transactions bound together by particular field values, not by ordering or time constraints.
Suppose you have a <transactiontype> stanza in the transactiontypes.conf.in file called "email". The stanza contains the following settings.
- fields=qid, pid
- search=sourcetype=sendmail_syslog to=root
The searchtxn command finds all of the events that match sourcetype="sendmail_syslog" to=root.
From those results, all fields that contain a qid or pid located are used to further search for relevant transaction events. When no additional qid or pid values are found, the resulting search is run:
sourcetype="sendmail_syslog" ((qid=val1 pid=val1) OR (qid=valn pid=valm) | transaction name=email | search to=root
Examples
Example 1:
Find all email transactions to root from David Smith.
| searchtxn email to=root from="David Smith"
See also
Answers
Have questions? Visit Splunk Answers and see what questions and answers the Splunk community has using the searchtxn command.
|
PREVIOUS search |
NEXT selfjoin |
This documentation applies to the following versions of Splunk® Enterprise: 4.3, 4.3.2, 4.3.3, 4.3.4, 4.3.5, 4.3.6, 4.3.7, 5.0, 5.0.1, 5.0.2, 5.0.3, 5.0.4, 5.0.5, 5.0.6, 5.0.7, 5.0.8, 5.0.9, 5.0.10, 5.0.11, 5.0.12, 5.0.13, 5.0.14, 5.0.15, 5.0.16, 5.0.17, 5.0.18, 6.0, 6.0.1, 6.0.2, 6.0.3, 6.0.4, 6.0.5, 6.0.6, 6.0.7, 6.0.8, 6.0.9, 6.0.10, 6.0.11, 6.0.12, 6.0.13, 6.0.14, 6.0.15, 6.1, 6.1.1, 6.1.2, 6.1.3, 6.1.4, 6.1.5, 6.1.6, 6.1.7, 6.1.8, 6.1.9, 6.1.10, 6.1.11, 6.1.12, 6.1.13, 6.1.14, 6.2.0, 6.2.1, 6.2.2, 6.2.3, 6.2.4, 6.2.5, 6.2.6, 6.2.7, 6.2.8, 6.2.9, 6.2.10, 6.2.11, 6.2.12, 6.2.13, 6.2.14, 6.2.15, 6.3.0, 6.3.1, 6.3.10, 6.3.11, 6.3.12, 6.3.14, 4.3.1, 6.3.5, 6.3.6, 6.3.7, 6.3.8, 6.3.9, 6.3.13, 6.4.0, 6.4.1, 6.4.2, 6.4.3, 6.4.4, 6.4.5, 6.4.6, 6.4.7, 6.4.8, 6.4.9, 6.4.10, 6.4.11, 6.5.0, 6.5.1, 6.5.1612 (Splunk Cloud only), 6.5.2, 6.5.3, 6.5.4, 6.5.5, 6.5.6, 6.5.7, 6.5.8, 6.5.9, 6.5.10, 6.6.0, 6.6.1, 6.6.2, 6.6.3, 6.6.4, 6.6.5, 6.6.6, 6.6.7, 6.6.8, 6.6.9, 6.6.10, 6.6.11, 6.6.12, 7.0.0, 7.0.1, 7.0.2, 7.0.3, 7.0.4, 7.0.5, 7.0.6, 7.0.7, 7.0.8, 7.0.9, 7.0.10, 7.0.11, 7.1.0, 7.1.1, 7.1.2, 7.1.3, 7.1.4, 7.1.5, 7.1.6, 7.1.7, 7.1.8, 7.2.0, 7.2.1, 7.2.2, 7.2.3, 7.2.4, 7.2.5, 7.2.6, 7.2.7, 7.3.0, 6.3.2, 6.3.3, 6.3.4
Feedback submitted, thanks!