Sometimes you need to look beyond individual events. You might want to group all events related to a single user session or follow a transaction through multiple systems. The Splunk transaction command makes this possible by grouping events together based on criteria you define.
What Is a Transaction in Splunk?
A transaction is a group of events that Splunk treats as a single unit. Instead of looking at individual log entries, you examine them as a logical sequence. For example, all web requests from one user session form a transaction. All authentication and application access events for a single user could form a transaction.
The transaction command groups events and creates new fields containing transaction information like duration, number of events, and transaction ID. This lets you analyze entire sequences of events rather than isolated log lines.
When You Need Transactions
Transactions are useful for tracing user activity, analyzing process flows, and detecting unusual patterns. If you want to see how long a typical user session lasts, use transactions. If you need to understand the sequence of events when a system fails, transactions help you connect the dots.
Security analysts use transactions to track attack sequences. Did a user log in, access sensitive files, and then exit? Those three events form a transaction. Detecting that sequence helps you identify compromised accounts.
Basic Transaction Syntax
The basic transaction command groups events by one or more fields. The simplest form is:
source="auth.log" | transaction user_id
This groups all events with the same user_id into transactions. Splunk creates a new field called duration (in seconds) showing how long the transaction lasted and a _raw field containing all events in the transaction.
You can also group by multiple fields:
source="web.log" | transaction user_id, session_id
This creates transactions for each unique combination of user_id and session_id.
Controlling Transaction Timeouts
By default, Splunk closes a transaction after 5 minutes of no new events with the same grouping field value. This prevents one long transaction from growing unboundedly. You can adjust this with the maxpause parameter:
source="auth.log" | transaction user_id maxpause=5m
The maxpause=5m means if no new events arrive for that user within 5 minutes, end the transaction. If events arrive after that, they start a new transaction.
Want to go deeper?
No Nonsense Introduction to Splunk
Skip the endless docs rabbit hole. This hands-on course takes you from zero to confident with Splunk searches, dashboards, and alerts. Taught by a Splunk Certified Architect with over 10 years of real-world experience.
View the course →Limiting Transaction Size
Large transactions can slow searches and consume memory. Use maxevents to limit how many events can belong to a single transaction:
source="web.log" | transaction user_id maxevents=1000
Any events beyond 1,000 in that transaction are ignored. This protects your searches from getting bogged down by unexpectedly large transactions.
Starting and Ending Transactions
By default, Splunk opens a new transaction whenever it sees a new value for your grouping field. But sometimes you want more control. Use startswith and endswith parameters to explicitly mark transaction boundaries:
source="auth.log" | transaction user_id startswith="authentication successful" endswith="logout"
This creates transactions that start when a user authenticates and end when they log out. Everything in between is part of that transaction.
This is powerful for analyzing bounded processes. For a web application, you might start a transaction when a request arrives and end it when the response is sent.
Extracting Information from Transactions
Once you've created transactions, you can extract information using functions like dc (distinct count) and stats:
source="auth.log" | transaction user_id | stats sum(eval(if(isnotnull(failed_login), 1, 0))) as failed_attempts by user_id
This counts failed login attempts per user across their entire transaction.
Analyzing Transaction Duration
The duration field created by the transaction command tells you how long transactions last. Use this to identify unusual sessions:
source="web.log" | transaction user_id | where duration > 3600 | table user_id, duration
This shows users with sessions lasting more than 1 hour (3600 seconds), which might indicate suspicious activity or legitimate long work sessions depending on your environment.
Displaying Transaction Events
By default, the transaction command groups events but doesn't show you what's inside. Use table to see individual events within each transaction:
source="auth.log" | transaction user_id | table user_id, _time, status
Or use mvexpand to expand multi-value fields if transaction fields contain multiple values.
Common Transaction Use Cases
For security operations, transactions help track attack timelines. Group events by source IP to see everything one attacker did. For system administration, group events by server or service to understand failure sequences.
For web analytics, group by session ID to see user behavior paths. Did users complete a purchase after viewing a product page? Did they encounter an error? Transactions let you trace these patterns.
Performance Considerations
Transactions can be resource intensive, especially with large numbers of grouping values or long time windows. Use maxpause to prevent runaway transactions. Index time transaction grouping is faster than search time, but that requires configuration during data ingestion.
Test transaction searches on smaller time ranges first. A transaction search on 30 days of data might timeout, while the same search on 1 day completes quickly.
Comparing Transactions to Other Methods
Other Splunk commands like stats can also group events, but they're not identical to transactions. Stats is faster and more efficient for simple grouping. Use transactions when you need to preserve event order or analyze sequences.
For very simple event correlation, dedup might be sufficient. Use transactions when grouping is complex or when event sequencing matters.
Debugging Transaction Searches
If your transaction search returns unexpected results, add a | stats count by user_id after the transaction command to see how many transactions you're creating. Verify that your grouping fields contain the values you expect.
Use maxevents=10 temporarily to keep transactions small while testing. Once you've verified the logic, increase it to realistic values.
Next Steps with Transactions
You now understand how to group events and analyze them together. The next step is combining transactions with other commands like join or using them within more complex SPL to extract meaningful insights from your data.
Transactions become powerful when combined with statistical analysis. Count transactions, measure their duration, and visualize patterns. Build dashboards showing transaction metrics to reveal trends and anomalies in your systems.
Ready to master advanced Splunk data analysis including transactions? Explore our Introduction to Splunk course for deeper training on complex SPL commands and data analysis techniques.
Ready to level up?
No Nonsense Introduction to Splunk
Learn Splunk the practical way. No death-by-slides, no waffle. Just focused video demos with real data and a structured path from installation to dashboards and alerts. From just $4.99 with lifetime access.
Start the course for $4.99 →Relevant lessons in the course