https://community.splunk.com/t5/Splunk-Search/Strange-search-behavior-with-quot-transaction-quot/m-p/410352#M118382 <P>The transaction command is very resource expensive command. You're using very basic transaction command (not additional transaction limiting options being used) and based on your data, the virtual memory usage could be very high and due to search being finalized, it may not be returning any data. I would say, try using stats instead of transaction for your search.</P> <P><A href="http://docs.splunk.com/Documentation/Splunk/7.1.2/Search/Abouttransactions#Using_stats_instead_of_transaction">http://docs.splunk.com/Documentation/Splunk/7.1.2/Search/Abouttransactions#Using_stats_instead_of_transaction</A></P> Thu, 16 Aug 2018 17:13:59 GMT somesoni2 2018-08-16T17:13:59Z https://community.splunk.com/t5/Splunk-Search/Strange-search-behavior-with-quot-transaction-quot/m-p/410351#M118381 <P>Hello, <BR /> Could someone explain me the following strange behavior with search</P> <P>With this type of search :</P> <P>sourcetype="cisco:esa:textmail" | transaction internal_message_id | search "<A href="mailto:My_email_address@address.com" target="_blank">My_email_address@address.com</A>"</P> <P>When i make a search on last 15 minutes, last hour or last 4 hours, my search work and return me answers .</P> <P>If i use a specified period time it work too.</P> <P>As soon as i use 24hours or more, the search give me no answer. </P> <P>How to explain this ?</P> <P>Sorry for my english and thanks in advance</P> Tue, 29 Sep 2020 20:55:46 GMT https://community.splunk.com/t5/Splunk-Search/Strange-search-behavior-with-quot-transaction-quot/m-p/410351#M118381 cnoulin 2020-09-29T20:55:46Z https://community.splunk.com/t5/Splunk-Search/Strange-search-behavior-with-quot-transaction-quot/m-p/410352#M118382 <P>The transaction command is very resource expensive command. You're using very basic transaction command (not additional transaction limiting options being used) and based on your data, the virtual memory usage could be very high and due to search being finalized, it may not be returning any data. I would say, try using stats instead of transaction for your search.</P> <P><A href="http://docs.splunk.com/Documentation/Splunk/7.1.2/Search/Abouttransactions#Using_stats_instead_of_transaction">http://docs.splunk.com/Documentation/Splunk/7.1.2/Search/Abouttransactions#Using_stats_instead_of_transaction</A></P> Thu, 16 Aug 2018 17:13:59 GMT https://community.splunk.com/t5/Splunk-Search/Strange-search-behavior-with-quot-transaction-quot/m-p/410352#M118382 somesoni2 2018-08-16T17:13:59Z https://community.splunk.com/t5/Splunk-Search/Strange-search-behavior-with-quot-transaction-quot/m-p/410353#M118383 <P>thank you for your answer.<BR /> I'm a splunk noob and try some differents syntax with the stat command but no one work...<BR /> Coulmd you help me and give me the syntax ?<BR /> I try different functions but no one work.</P> Fri, 17 Aug 2018 07:02:20 GMT https://community.splunk.com/t5/Splunk-Search/Strange-search-behavior-with-quot-transaction-quot/m-p/410353#M118383 cnoulin 2018-08-17T07:02:20Z https://community.splunk.com/t5/Splunk-Search/Strange-search-behavior-with-quot-transaction-quot/m-p/410354#M118384 <P>another thing.<BR /> The goal is to have a "unique" log entry when i visualize in splunk.<BR /> Actually ESA send me one line by log and the complete mail transaction is very difficult to analyse.<BR /> Mayube there is another solution to aggregate during indexing instead of during visualization ?</P> Fri, 17 Aug 2018 07:06:45 GMT https://community.splunk.com/t5/Splunk-Search/Strange-search-behavior-with-quot-transaction-quot/m-p/410354#M118384 cnoulin 2018-08-17T07:06:45Z https://community.splunk.com/t5/Splunk-Search/Strange-search-behavior-with-quot-transaction-quot/m-p/410355#M118385 <P>Add <CODE>keepevicted=true</CODE> to your query:</P> <PRE><CODE>sourcetype="cisco:esa:textmail" | transaction internal_message_id keepevicted=true | search "My_email_address@address.com" </CODE></PRE> <P>If you run a query that will generates a lot of events without it you will find a green exclamation mark beside "job" with this message:</P> <PRE><CODE>Some transactions have been discarded. To include them, add keepevicted=true to your transaction command. </CODE></PRE> Fri, 17 Aug 2018 09:08:26 GMT https://community.splunk.com/t5/Splunk-Search/Strange-search-behavior-with-quot-transaction-quot/m-p/410355#M118385 aakwah 2018-08-17T09:08:26Z https://community.splunk.com/t5/Splunk-Search/Strange-search-behavior-with-quot-transaction-quot/m-p/410356#M118386 <P>it work, perfect !<BR /> Thanks</P> Fri, 17 Aug 2018 09:17:07 GMT https://community.splunk.com/t5/Splunk-Search/Strange-search-behavior-with-quot-transaction-quot/m-p/410356#M118386 cnoulin 2018-08-17T09:17:07Z https://community.splunk.com/t5/Splunk-Search/Strange-search-behavior-with-quot-transaction-quot/m-p/410357#M118387 <P>Welcome ! </P> Fri, 17 Aug 2018 14:34:23 GMT https://community.splunk.com/t5/Splunk-Search/Strange-search-behavior-with-quot-transaction-quot/m-p/410357#M118387 aakwah 2018-08-17T14:34:23Z https://community.splunk.com/t5/Splunk-Search/Strange-search-behavior-with-quot-transaction-quot/m-p/410358#M118388 <P>@cnoulin as @somesoni2 mentioned, stats is a better option for your use case. However, for us to assist you better you would need to provide more details on what fields and values you want to show after correlating them. If you lookup Splunk Answers you will find several examples.</P> <PRE><CODE>sourcetype="cisco:esa:textmail" | stats count as eventCount min(_time) as _time max(_time) as LatestTime internal_message_id | eval duration=LatestTime-_time | fields - LatestTime </CODE></PRE> Fri, 17 Aug 2018 14:46:13 GMT https://community.splunk.com/t5/Splunk-Search/Strange-search-behavior-with-quot-transaction-quot/m-p/410358#M118388 niketn 2018-08-17T14:46:13Z