The transaction command needs to bring all the events into memory and examine them to create the transactions. This happens on the search head, and it is quite costly.
In fact, if the command runs out of resources, it will fail or give partial results.
Restricting the input is a key technique for using the transaction command. You can shorten the time range or filter the number of events (as you did).
Also, there are explicit restrictions in limits.conf , quoted below
[transactions]
maxopentxn = <integer>
* Specifies the maximum number of not yet closed transactions to keep in the open pool before starting to evict transactions.
* Defaults to 5000.
maxopenevents = <integer>
* Specifies the maximum number of events (which are) part of open transactions before transaction eviction starts happening, using LRU policy.
* Defaults to 100000.
You might also want to read about transactions in the Search Manual. The Search Manual also discusses using stats instead of transaction if possible. In my experience, the stats command will be orders of magnitude faster, but may be difficult to use in your specific case.
... View more