https://community.splunk.com/t5/Splunk-Search/Only-Listing-Transactions-with-Multiple-Events/m-p/544406#M154190 <P>If you're just looking for number of events that make up the transaction, then the transaction command adds a field called&nbsp;<SPAN>eventcount to each of the results, so you can just do</SPAN></P><LI-CODE lang="markup">| where eventcount&gt;1</LI-CODE><P>Please note that transaction command has a number of issues when dealing with large data sets or long running spans between connected events and you will not see errors when using the command, only 'odd' things happening and random behaviour.</P><P>transaction has its uses, but often the same can be achieved with the stats command</P><P>&nbsp;</P> Thu, 18 Mar 2021 20:59:24 GMT bowesmana 2021-03-18T20:59:24Z https://community.splunk.com/t5/Splunk-Search/Only-Listing-Transactions-with-Multiple-Events/m-p/544402#M154188 <P>I am interested in only listing transactions of a given source entity that contain multiple events.&nbsp; Is there a quick and easy way to do this?</P><P>index=main | transaction src_entity startswith=at least one thing endswith=another thing | table src dst etc.</P> Thu, 18 Mar 2021 20:27:01 GMT https://community.splunk.com/t5/Splunk-Search/Only-Listing-Transactions-with-Multiple-Events/m-p/544402#M154188 epw0rrell 2021-03-18T20:27:01Z https://community.splunk.com/t5/Splunk-Search/Only-Listing-Transactions-with-Multiple-Events/m-p/544406#M154190 <P>If you're just looking for number of events that make up the transaction, then the transaction command adds a field called&nbsp;<SPAN>eventcount to each of the results, so you can just do</SPAN></P><LI-CODE lang="markup">| where eventcount&gt;1</LI-CODE><P>Please note that transaction command has a number of issues when dealing with large data sets or long running spans between connected events and you will not see errors when using the command, only 'odd' things happening and random behaviour.</P><P>transaction has its uses, but often the same can be achieved with the stats command</P><P>&nbsp;</P> Thu, 18 Mar 2021 20:59:24 GMT https://community.splunk.com/t5/Splunk-Search/Only-Listing-Transactions-with-Multiple-Events/m-p/544406#M154190 bowesmana 2021-03-18T20:59:24Z https://community.splunk.com/t5/Splunk-Search/Only-Listing-Transactions-with-Multiple-Events/m-p/544408#M154191 <P>Thanks, that is definitely the answer to that question but now looking at the results, I see that I need to be more specific and only display transactions where a certain field has more than one "event" value if that makes sense?&nbsp; Thanks for your help and is there a way I can do this?&nbsp;</P> Thu, 18 Mar 2021 21:03:56 GMT https://community.splunk.com/t5/Splunk-Search/Only-Listing-Transactions-with-Multiple-Events/m-p/544408#M154191 epw0rrell 2021-03-18T21:03:56Z https://community.splunk.com/t5/Splunk-Search/Only-Listing-Transactions-with-Multiple-Events/m-p/544436#M154203 <P>To count multiple values of fields, use mvcount, i.e.</P><LI-CODE lang="markup">| where mvcount(fieldname)&gt;1</LI-CODE><P>&nbsp;and a 'value' in the field will be the set of distinct values found for that field in the transaction, e.g. see this simple example</P><LI-CODE lang="markup">| makeresults count=20 | streamstats c | eval _time=_time-c | sort - _time | eval id2=ceil(c/2) | eval id3=random() % 5 | eval id=if(c&lt;9,"123","456") | transaction id | eval c_id2=mvcount(id2), c_id3=mvcount(id3)</LI-CODE> Fri, 19 Mar 2021 05:12:55 GMT https://community.splunk.com/t5/Splunk-Search/Only-Listing-Transactions-with-Multiple-Events/m-p/544436#M154203 bowesmana 2021-03-19T05:12:55Z https://community.splunk.com/t5/Splunk-Search/Only-Listing-Transactions-with-Multiple-Events/m-p/544523#M154233 <P>Work perfect thanks!!</P> Fri, 19 Mar 2021 15:15:00 GMT https://community.splunk.com/t5/Splunk-Search/Only-Listing-Transactions-with-Multiple-Events/m-p/544523#M154233 epw0rrell 2021-03-19T15:15:00Z