https://community.splunk.com/t5/Getting-Data-In/Close-a-TRANSACTION-with-only-1-EVENT/m-p/552913#M91691 <P>Hi.<BR />I would like to unterstand why Splunk does not close a transaction with only 1 event, if i force a STARTSWITH parameter... i tried all possible parameters, but with STARTSWITH there's no way, transaction is dropped...</P><P>&nbsp;</P><P class="lia-indent-padding-left-30px"><EM>timestamp ..... user=XXXXXXXXXXXXXX action=login_do from=127.0.0.1 status=failed</EM></P><P>&nbsp;</P><P><STRONG>.... | transaction maxevents=-1 user from startswith="login_do"</STRONG></P><P>... no events returned...</P><P>&nbsp;</P><P><STRONG>.... | transaction maxevents=-1 user from</STRONG></P><P>... event cought!!!</P><P>&nbsp;</P><P>Thanks.</P> Tue, 25 May 2021 09:47:49 GMT verbal_666 2021-05-25T09:47:49Z https://community.splunk.com/t5/Getting-Data-In/Close-a-TRANSACTION-with-only-1-EVENT/m-p/552913#M91691 <P>Hi.<BR />I would like to unterstand why Splunk does not close a transaction with only 1 event, if i force a STARTSWITH parameter... i tried all possible parameters, but with STARTSWITH there's no way, transaction is dropped...</P><P>&nbsp;</P><P class="lia-indent-padding-left-30px"><EM>timestamp ..... user=XXXXXXXXXXXXXX action=login_do from=127.0.0.1 status=failed</EM></P><P>&nbsp;</P><P><STRONG>.... | transaction maxevents=-1 user from startswith="login_do"</STRONG></P><P>... no events returned...</P><P>&nbsp;</P><P><STRONG>.... | transaction maxevents=-1 user from</STRONG></P><P>... event cought!!!</P><P>&nbsp;</P><P>Thanks.</P> Tue, 25 May 2021 09:47:49 GMT https://community.splunk.com/t5/Getting-Data-In/Close-a-TRANSACTION-with-only-1-EVENT/m-p/552913#M91691 verbal_666 2021-05-25T09:47:49Z https://community.splunk.com/t5/Getting-Data-In/Close-a-TRANSACTION-with-only-1-EVENT/m-p/552923#M91692 <P>Hi&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/28550">@verbal_666</a>&nbsp;,</P><P>&nbsp;</P><P>Have you tried adding the&nbsp;<SPAN>keepevicted=t first and then keeporphans=t in order to see if any of them are returning anything and if so, find out why that particular transaction is being evicted or treated as an orphan?</SPAN></P><P>&nbsp;</P><P><SPAN>Regards,</SPAN></P><P><SPAN>J</SPAN></P> Tue, 25 May 2021 10:53:18 GMT https://community.splunk.com/t5/Getting-Data-In/Close-a-TRANSACTION-with-only-1-EVENT/m-p/552923#M91692 javiergn 2021-05-25T10:53:18Z https://community.splunk.com/t5/Getting-Data-In/Close-a-TRANSACTION-with-only-1-EVENT/m-p/552924#M91693 <P>I was sure having used all parameters, but maybe i was wrong with some boolean&nbsp;<span class="lia-unicode-emoji" title=":expressionless_face:">😑</span></P><P>&nbsp;</P><P><STRONG>transaction <FONT color="#3366FF"><EM>keepevicted=t <FONT color="#FF0000">keeporphans=t</FONT></EM> </FONT>maxevents=-1 startswith="login_do" user from</STRONG></P><P>&nbsp;</P><P>close the single event transaction... i was sure had used both of them, maybe my mistake!!! Just the "<STRONG><FONT color="#3366FF"><EM>keepevicted=t </EM></FONT></STRONG>" is enough.</P><P>Thanks a lot!!! <span class="lia-unicode-emoji" title=":thumbs_up:">👍</span></P> Tue, 25 May 2021 11:07:33 GMT https://community.splunk.com/t5/Getting-Data-In/Close-a-TRANSACTION-with-only-1-EVENT/m-p/552924#M91693 verbal_666 2021-05-25T11:07:33Z https://community.splunk.com/t5/Getting-Data-In/Close-a-TRANSACTION-with-only-1-EVENT/m-p/552979#M91707 <P>Sometimes Splunk surprises!!!</P><P>The code that tomorrow did not work properly, now works <span class="lia-unicode-emoji" title=":face_with_rolling_eyes:">🙄</span></P><P>&nbsp;</P><P><STRONG>transaction <FONT color="#3366FF"><EM>keepevicted=<U>f </U><FONT color="#FF0000">keeporphans=<U>f</U> </FONT></EM></FONT>maxevents=-1 startswith="login_do" user from</STRONG></P><P>&nbsp;</P><P>Now works!!! I did't change anything in the query... very very strange!!!</P> Tue, 25 May 2021 16:10:01 GMT https://community.splunk.com/t5/Getting-Data-In/Close-a-TRANSACTION-with-only-1-EVENT/m-p/552979#M91707 verbal_666 2021-05-25T16:10:01Z