Splunk Transaction: The transaction command detects transactions based on events that meet various constraints. Transactions are made up of the raw text (_rao field) of each member, first the member’s time and date fields, as well as all other regions of each member.
Additionally, the transaction command adds two fields to the raw events, duration, and a number of events. Period field values show the difference between the timestamp for the first and last events in a transaction. The values in the event count field indicate the number of events in the transaction.
Transactions returned at search time include the raw text of each event, the shared event type, and the field values. Transactions also contain additional data that is stored in fields: duration and transaction type.
Duration is the duration of the transaction (the difference between the timestamp of the first and last events of the transaction).
Transaction-type is the name of the transaction (as defined in transaction types. Defined by the verse name of the transaction).
You can add transactions to any search. For best search performance, craft your search and then pipe it to the transaction command. For more information, see the topic on Transaction Commands in the Search Reference Manual.
How to Use Transaction
The transaction order is much easier to use than it may seem. To use it in the Splunk search command, just follow this format:
And all. The only requirement to use this command is, however, to get the most accurate results, it would be best to add a few more items to the line:
|transaction <field> maxevents=# startswith= “<value>” endswith=”<value>”
Full Guide Video Tutorial Splunk Transaction
Download Full Topic As PDF PDF Credit- https://docs.splunk.com/