Efficiently returns transaction events that match a transaction type and contain specific text. If you have Splunk Cloud and want to define transaction types, file a Support ticket.
| searchtxn <transaction-name> [max_terms=<int>] [use_disjunct=<bool>] [eventsonly=<bool>] <search-string>
- Syntax: <transactiontype>
- Description: The name of the transaction type stanza that is defined in
- Syntax: <string>
- Description: Terms to search for within the transaction events.
- Syntax: eventsonly=<bool>
- Description: If true, retrieves only the relevant events but does not run "| transaction" command.
- Default: false
- Syntax: maxterms=<int>
- Description: Integer between 1-1000 which determines how many unique field values all fields can use. Using smaller values speeds up search, favoring more recent values.
- Default: 1000
- Syntax: use_disjunct=<bool>
- Description: Specifies if each term in <search-string> should be processed as if separated by an OR operator on the initial search.
- Default: true
Generating commands use a leading pipe character and should be the first command in a search.
The command works only for transactions bound together by particular field values, not by ordering or time constraints.
Suppose you have a
<transactiontype> stanza in the
transactiontypes.conf.in file called "email". The stanza contains the following settings.
- fields=qid, pid
- search=sourcetype=sendmail_syslog to=root
searchtxn command finds all of the events that match
From those results, all fields that contain a qid or pid located are used to further search for relevant transaction events. When no additional qid or pid values are found, the resulting search is run:
sourcetype="sendmail_syslog" ((qid=val1 pid=val1) OR (qid=valn pid=valm) | transaction name=email | search to=root
Find all email transactions to root from David Smith.
| searchtxn email to=root from="David Smith"
This documentation applies to the following versions of Splunk Cloud™: 7.0.13, 7.2.9, 8.0.2007, 8.1.2008, 7.2.10, 8.0.2006, 8.1.2009, 8.1.2011, 8.1.2012 (latest FedRAMP release), 8.1.2101, 8.1.2103, 8.2.2104