Get Started

Splunk transaction Command: Grouping Related Events into Sessions

Splunk SPL Commands
R
Rhombic LLC
Splunk Consulting & Cyber Security · 2 min read

What Is the transaction Command?

The transaction command groups events that share common field values into single “transaction” events. It’s designed for correlating related activities — like all events in a user session, all steps in a workflow, or all log entries for a single incident. Each transaction gets duration, event count, and the combined raw events.

Core Syntax

| transaction <field-list> [maxspan=<time>] [maxpause=<time>] [startswith=<filter>] [endswith=<filter>]

Key Parameters

Parameter Purpose
maxspan Maximum total duration of a transaction
maxpause Maximum gap between consecutive events
startswith Event that must begin the transaction
endswith Event that must end the transaction
maxevents Maximum number of events per transaction

Security Operations Examples

1. User Session Reconstruction

index=web sourcetype=access_combined
| transaction clientip maxpause=30m maxspan=8h
| table clientip duration eventcount _time
| eval duration_min = round(duration / 60, 1)
| sort - duration_min

2. Login-to-Logout Session Tracking

index=security sourcetype=WinEventLog:Security (EventCode=4624 OR EventCode=4634)
| transaction Account_Name ComputerName startswith=(EventCode=4624) endswith=(EventCode=4634) maxspan=12h
| eval session_min = round(duration / 60, 1)
| table Account_Name ComputerName session_min eventcount

3. Attack Chain Correlation

Group related security events to reconstruct potential attack sequences per host.

index=security sourcetype=WinEventLog:Security (EventCode=4625 OR EventCode=4624 OR EventCode=4648 OR EventCode=4672)
| transaction ComputerName maxspan=10m maxpause=2m
| where eventcount > 5
| table _time ComputerName Account_Name eventcount duration

transaction vs. stats

The transaction command is resource-intensive. For many use cases, stats is a more performant alternative:

| stats min(_time) AS session_start max(_time) AS session_end count AS eventcount values(action) AS actions BY session_id
| eval duration = session_end - session_start
Feature transaction stats
Preserves raw events Yes No
Duration calculation Automatic Manual via min/max _time
Performance Slow — memory intensive Fast
startswith/endswith Yes No

Best Practices

  • Always set maxspan and maxpause — Without time bounds, transactions can grow indefinitely and consume excessive memory.
  • Use stats when possible — If you don’t need the combined raw events or startswith/endswith logic, stats is dramatically faster.
  • Pre-filter aggressively — Narrow your events with time range and field filters before the transaction command.
  • Use maxevents as a safety valve — Prevents runaway transactions from consuming all available memory.

Next in the series: The spath command — parsing JSON and XML data.

Next in the Rhombic SPL Series → Splunk spath Command

Tagged , , , , ,