Skip to content

Splunk Transaction Command: What It Is and How to Use It


Have you ever needed to see how long a server has been down? Or maybe find the duration of processing calls? Instead of trudging through a bunch of complicated eval statements or subtracting different time intervals, Splunk has made it simple with an all-in-one Splunk search command: Transaction.

What is the Transaction command in Splunk?

The transaction command allows Splunk users to locate events that match certain criteria. Transactions usually include information such as the duration between events and the number of events (eventcount).

A real-world example of how a transaction is used is a customer interacting with an eCommerce site. All of the actions a customer takes on the site, such as: add to cart, remove from cart, and purchase are considered transactions. 

How to Use Transaction

Using the transaction command is a lot simpler than it might seem. It’s meant to simplify the search syntax when searching for related events. To use it in a Splunk search command, just follow this format:


And that’s it. That’s the only requirement for using this command. However, to get the most accurate results, it would be best to add a few more items to the line:

|transaction <field> maxevents=# startswith= “<value>” endswith=”<value>”

This is a solid foundation for most use cases, let’s break it down:

<field> – this would be a field that correlates between the events, something to match events with

Maxevents – maximum number of events between each transaction

Startswith – events containing this term will start off the transaction event

Endswith – events containing this term will close off the transaction event

Splunk Transaction Example

In this tutorial, we’ll use the fictitious Splunk ecommerce site, Buttercup Games ecommerce Store.

Step 1: List the index and source types of data you want to search within.

We’re using the index web and source type combined with cookie.

| index*web sourcetype*access_combined_wcookie

Step 2: Pipe the transaction command.

| transaction 

Step 3: Specify how you want to differentiate between the customers and their visits.

To do this, we’ll use the field name associated with the customer’s IP address and the session ID assigned to the user when they visited the ecommerce store.

| transaction clientip JSESSIONID 

Step 4: List the field that marks the beginning of a user’s visit.

We’ll use startswith to find this information.

| transaction clientip JSESSIONID startwith=”view”

Step 5: List the field that marks the end of the user’s visit.

| transaction clientip JSESSIONID startwith=”view” ends with=”purchase”

Step 6: Set the timeframe of the search.

We chose a three-day span from August 1 – August 3, 2022.

Step 7: Apply the criteria and run the search.

how to use the transaction command in splunk

If you found this helpful… 

You don’t have to master Splunk by yourself in order to get the most value out of it. Small, day-to-day optimizations of your environment can make all the difference in how you understand and use the data in your Splunk environment to manage all the work on your plate.

Cue Atlas Assessment: a customized report to show you where your Splunk environment is excelling and opportunities for improvement. Once you download the app, you’ll get your report in just 30 minutes.

New call-to-action