https://community.splunk.com/t5/Splunk-Search/append-and-transaction/m-p/60311#M14863 <P>Hi Jeff. Did you get the answer for your question? I am having the same problem with append + transaction</P> Wed, 15 Apr 2015 13:52:53 GMT cscaldeira 2015-04-15T13:52:53Z https://community.splunk.com/t5/Splunk-Search/append-and-transaction/m-p/60310#M14862 <P>I have a pretty complex search where I'm trying to get the DHCP and ACS authentication logs correlated by MAC address for all workstations where a particular user logged into the wireless network.</P> <PRE><CODE>index=main (host=dhcpserver) | extract mac | search [ search host=csacs* index=main CSCOacs_Passed_Authentications [ search host=csacs* index=main CSCOacs_Passed_Authentications user=*username* | fields trans_id ] | transaction maxpause=5s trans_id | lookup normalizemac input AS Calling_Station_ID OUTPUTNEW mac | dedup mac | fields mac ] | rex field=_raw "DHCPACK on (?&lt;ip_assigned&gt;[0-9\.]+) to [^\(]+\((?&lt;hostname&gt;[^\)]+)\)" | fields _time host hostname ip_assigned mac | append [ search host=csacs* index=main CSCOacs_Passed_Authentications [ search host=csacs* index=main CSCOacs_Passed_Authentications user=*username* | fields trans_id ] | transaction maxpause=5s trans_id | lookup normalizemac input AS Calling_Station_ID OUTPUTNEW mac | dedup mac | fields _time host mac user ] | transaction maxspan=20s mac </CODE></PRE> <P>Everything is working okay except for the final transaction to join the transaction between the two systems. I verified the relevant events have the same MAC address and format (lowercase aa:aa:aa:aa:aa:aa) and are well within the maxspan time. Does transaction not work across appended searches?</P> Tue, 11 Dec 2012 21:04:01 GMT https://community.splunk.com/t5/Splunk-Search/append-and-transaction/m-p/60310#M14862 jeff 2012-12-11T21:04:01Z https://community.splunk.com/t5/Splunk-Search/append-and-transaction/m-p/60311#M14863 <P>Hi Jeff. Did you get the answer for your question? I am having the same problem with append + transaction</P> Wed, 15 Apr 2015 13:52:53 GMT https://community.splunk.com/t5/Splunk-Search/append-and-transaction/m-p/60311#M14863 cscaldeira 2015-04-15T13:52:53Z https://community.splunk.com/t5/Splunk-Search/append-and-transaction/m-p/60312#M14864 <P>I think this search can be simplified:</P> <PRE><CODE> index=main (host=dhcpserver) | extract mac | search [ search host=csacs* index=main CSCOacs_Passed_Authentications user=*username* trans_id=* | dedup input | lookup normalizemac input AS Calling_Station_ID OUTPUTNEW mac | dedup mac | fields mac ] | rex field=_raw "DHCPACK on (?&lt;ip_assigned&gt;[0-9\.]+) to [^\(]+\((?&lt;hostname&gt;[^\)]+)\)" | fields _time host hostname ip_assigned mac | append [ search host=csacs* index=main CSCOacs_Passed_Authentications user=*username* trans_id=* | transaction maxpause=5s trans_id | lookup normalizemac input AS Calling_Station_ID OUTPUTNEW mac | dedup mac | fields _time host mac user ] | transaction maxspan=20s mac </CODE></PRE> <P>But I think this is the answer to your question: <A href="http://docs.splunk.com/Documentation/Splunk/6.2.2/SearchReference/Transaction">transaction</A> </P> <BLOCKQUOTE> <P>"Given events as input, this command finds transactions based on events"</P> </BLOCKQUOTE> <P>You are not passing events to the final transaction command: you are passing summarized search results.</P> Wed, 15 Apr 2015 14:19:24 GMT https://community.splunk.com/t5/Splunk-Search/append-and-transaction/m-p/60312#M14864 lguinn2 2015-04-15T14:19:24Z https://community.splunk.com/t5/Splunk-Search/append-and-transaction/m-p/60313#M14865 <P>Is there really a difference between summarized search results and events? My impression is that append takes a result and just adds more events to it.</P> Fri, 25 Oct 2019 12:53:36 GMT https://community.splunk.com/t5/Splunk-Search/append-and-transaction/m-p/60313#M14865 simonzfor 2019-10-25T12:53:36Z