
searchtxn
Description
Efficiently returns transaction events that match a transaction type and contain specific text. If you have Splunk Cloud and want to define transaction types, file a Support ticket.
Syntax
| searchtxn <transaction-name> [max_terms=<int>] [use_disjunct=<bool>] [eventsonly=<bool>] <search-string>
Required arguments
- <transaction-name>
- Syntax: <transactiontype>
- Description: The name of the transaction type stanza that is defined in
transactiontypes.conf
.
- <search-string>
- Syntax: <string>
- Description: Terms to search for within the transaction events.
Optional arguments
- eventsonly
- Syntax: eventsonly=<bool>
- Description: If true, retrieves only the relevant events but does not run "| transaction" command.
- Default: false
- max_terms
- Syntax: maxterms=<int>
- Description: Integer between 1-1000 which determines how many unique field values all fields can use. Using smaller values speeds up search, favoring more recent values.
- Default: 1000
- use_disjunct
- Syntax: use_disjunct=<bool>
- Description: Specifies if each term in <search-string> should be processed as if separated by an OR operator on the initial search.
- Default: true
Usage
The searchtxn
command is an event-generating command. See Command types.
Generating commands use a leading pipe character and should be the first command in a search.
Transactions
The command works only for transactions bound together by particular field values, not by ordering or time constraints.
Suppose you have a <transactiontype>
stanza in the transactiontypes.conf.in
file called "email". The stanza contains the following settings.
- fields=qid, pid
- search=sourcetype=sendmail_syslog to=root
The searchtxn
command finds all of the events that match sourcetype="sendmail_syslog" to=root
.
From those results, all fields that contain a qid or pid located are used to further search for relevant transaction events. When no additional qid or pid values are found, the resulting search is run:
sourcetype="sendmail_syslog" ((qid=val1 pid=val1) OR (qid=valn pid=valm) | transaction name=email | search to=root
Examples
Example 1:
Find all email transactions to root from David Smith.
| searchtxn email to=root from="David Smith"
See also
PREVIOUS search |
NEXT selfjoin |
This documentation applies to the following versions of Splunk Cloud™: 7.0.13, 7.2.4, 7.2.6, 7.2.7, 7.2.8, 7.2.9, 7.2.10, 8.0.2006, 8.0.2007, 8.1.2008, 8.1.2009, 8.1.2011, 8.1.2012, 8.1.2101
Feedback submitted, thanks!