https://community.splunk.com/t5/Splunk-Search/Unexplained-Inconsistent-incomplete-transaction-eventcount-when/m-p/477976#M134111 <P>I am getting an inconsistent number of events in a transaction, relative to the value specified for <CODE>maxevents=x</CODE>: </P> <P><CODE>| transaction ComputerName startswith=(EventCode=1100) maxevents=x</CODE></P> <P>Here are the eventcounts for each ComputerName where x=[10, 20, 30, 40], and maxevents undefined (i.e. not included in the SPL).:</P> <P><CODE>________________ x = 10_____20_____30_____40__Undefined</CODE><BR /> <CODE>Computer1, txn A......3......3.....13.....23.....423</CODE><BR /> <CODE>Computer1, txn B......5......5......5.....25.....705</CODE><BR /> <CODE>Computer2.............5.....15.....15.....15.....855</CODE><BR /> <CODE>Computer3.............6......6.....26.....26.....986</CODE><BR /> <CODE>Computer4............10.....20.....30.....20.....100</CODE><BR /> <CODE>Computer5, txn A......4.....14.....14.....14.....134</CODE><BR /> <CODE>Computer5, txn B......6.....16.....16.....36.....836</CODE></P> <P>Using maxspan and not maxevents consistently produces the expected results (verified by comparing the transaction'ed events to the list of raw events).</P> <P><STRONG>QUESTIONS:</STRONG> All computer have more than ten events that could be included in a transaction that starts with <CODE>EventCode=1100</CODE>, so why are there less than 10 events included in the transaction when <CODE>maxevents=10</CODE>? Shouldn't the transaction include (i.e. eventcount) up to then maxevent value when possible?</P> <P>Why does the eventcount jump up inconsistently when <CODE>maxevents</CODE> is changed to different values?</P> <P>Why does the eventcount for Computer4 actually <EM>decrease</EM> from 30 to 20 when maxevents is <EM>increased</EM> to 40?</P> Fri, 06 Sep 2019 19:19:07 GMT collinrice 2019-09-06T19:19:07Z https://community.splunk.com/t5/Splunk-Search/Unexplained-Inconsistent-incomplete-transaction-eventcount-when/m-p/477976#M134111 <P>I am getting an inconsistent number of events in a transaction, relative to the value specified for <CODE>maxevents=x</CODE>: </P> <P><CODE>| transaction ComputerName startswith=(EventCode=1100) maxevents=x</CODE></P> <P>Here are the eventcounts for each ComputerName where x=[10, 20, 30, 40], and maxevents undefined (i.e. not included in the SPL).:</P> <P><CODE>________________ x = 10_____20_____30_____40__Undefined</CODE><BR /> <CODE>Computer1, txn A......3......3.....13.....23.....423</CODE><BR /> <CODE>Computer1, txn B......5......5......5.....25.....705</CODE><BR /> <CODE>Computer2.............5.....15.....15.....15.....855</CODE><BR /> <CODE>Computer3.............6......6.....26.....26.....986</CODE><BR /> <CODE>Computer4............10.....20.....30.....20.....100</CODE><BR /> <CODE>Computer5, txn A......4.....14.....14.....14.....134</CODE><BR /> <CODE>Computer5, txn B......6.....16.....16.....36.....836</CODE></P> <P>Using maxspan and not maxevents consistently produces the expected results (verified by comparing the transaction'ed events to the list of raw events).</P> <P><STRONG>QUESTIONS:</STRONG> All computer have more than ten events that could be included in a transaction that starts with <CODE>EventCode=1100</CODE>, so why are there less than 10 events included in the transaction when <CODE>maxevents=10</CODE>? Shouldn't the transaction include (i.e. eventcount) up to then maxevent value when possible?</P> <P>Why does the eventcount jump up inconsistently when <CODE>maxevents</CODE> is changed to different values?</P> <P>Why does the eventcount for Computer4 actually <EM>decrease</EM> from 30 to 20 when maxevents is <EM>increased</EM> to 40?</P> Fri, 06 Sep 2019 19:19:07 GMT https://community.splunk.com/t5/Splunk-Search/Unexplained-Inconsistent-incomplete-transaction-eventcount-when/m-p/477976#M134111 collinrice 2019-09-06T19:19:07Z