https://community.splunk.com/t5/Splunk-Search/Why-is-Transaction-command-not-working-as-expected/m-p/599771#M208753 <P>I encounter with strange issue when i use transaction and at the end sort by duration it show highest duration is 15000 but when i remove transaction it show 17000 as highest duration!!!</P> <P>FYI1:correct value is 17000 and there is no special filter exist here!</P> <P>FYI2:duration directly print in log i just use transaction to aggregate two lines.</P> <P>&nbsp;</P> <P>Here is with transaction command:</P> <LI-CODE lang="markup">| rex "actionName.*\.(?\w+\.\w+)\]" | rex "duration\[(?\d+)" | rex "transactionId\[(?\w+-\w+-\w+-\w+-\w+)" |transaction transactionId | sort - duration | table duration actionName username</LI-CODE> <P>&nbsp;</P> <P>Here is without transaction:</P> <LI-CODE lang="markup">| rex "actionName.*\.(?\w+\.\w+)\]" | rex "duration\[(?\d+)" | rex "transactionId\[(?\w+-\w+-\w+-\w+-\w+)" | sort - duration | table duration actionName username</LI-CODE> <P>&nbsp;</P> <P>Here is the log:<BR />2022-05-30 12:39:34,262 INFO&nbsp; [APP] [Act] actionName[us.st.zxc.asda.app.session.protector.QueryOnData.Allow] parameters[] transactionId[8d135d45-c117-4781-a3ed-9a6a9db7ce4d] username[ABC] startTime[1653898174262]<BR /><BR />2022-05-30 12:42:26,109 INFO&nbsp; [APP] [Act] actionName[us.st.zxc.asda.app.session.protector.QueryOnData.Allow] transactionId[8d135d45-c117-4781-a3ed-9a6a9db7ce4d] duration[171847] status[done]</P> <P>&nbsp;</P> <P>any idea?</P> <P>Thanks</P> Tue, 31 May 2022 13:58:35 GMT indeed_2000 2022-05-31T13:58:35Z https://community.splunk.com/t5/Splunk-Search/Why-is-Transaction-command-not-working-as-expected/m-p/599771#M208753 <P>I encounter with strange issue when i use transaction and at the end sort by duration it show highest duration is 15000 but when i remove transaction it show 17000 as highest duration!!!</P> <P>FYI1:correct value is 17000 and there is no special filter exist here!</P> <P>FYI2:duration directly print in log i just use transaction to aggregate two lines.</P> <P>&nbsp;</P> <P>Here is with transaction command:</P> <LI-CODE lang="markup">| rex "actionName.*\.(?\w+\.\w+)\]" | rex "duration\[(?\d+)" | rex "transactionId\[(?\w+-\w+-\w+-\w+-\w+)" |transaction transactionId | sort - duration | table duration actionName username</LI-CODE> <P>&nbsp;</P> <P>Here is without transaction:</P> <LI-CODE lang="markup">| rex "actionName.*\.(?\w+\.\w+)\]" | rex "duration\[(?\d+)" | rex "transactionId\[(?\w+-\w+-\w+-\w+-\w+)" | sort - duration | table duration actionName username</LI-CODE> <P>&nbsp;</P> <P>Here is the log:<BR />2022-05-30 12:39:34,262 INFO&nbsp; [APP] [Act] actionName[us.st.zxc.asda.app.session.protector.QueryOnData.Allow] parameters[] transactionId[8d135d45-c117-4781-a3ed-9a6a9db7ce4d] username[ABC] startTime[1653898174262]<BR /><BR />2022-05-30 12:42:26,109 INFO&nbsp; [APP] [Act] actionName[us.st.zxc.asda.app.session.protector.QueryOnData.Allow] transactionId[8d135d45-c117-4781-a3ed-9a6a9db7ce4d] duration[171847] status[done]</P> <P>&nbsp;</P> <P>any idea?</P> <P>Thanks</P> Tue, 31 May 2022 13:58:35 GMT https://community.splunk.com/t5/Splunk-Search/Why-is-Transaction-command-not-working-as-expected/m-p/599771#M208753 indeed_2000 2022-05-31T13:58:35Z https://community.splunk.com/t5/Splunk-Search/Why-is-Transaction-command-not-working-as-expected/m-p/599797#M208767 <P>duration is a field that is (also) generated by the transaction command so the value you are extracting from the event (with rex) is getting overridden by the transaction command - try a different field name - even capitalising might work</P><PRE> | rex "actionName\[(\w+\.)*\.(?&lt;actionName&gt;\w+\.\w+)\]" | rex "duration\[(?&lt;Duration&gt;\d+)" | rex "transactionId\[(?&lt;transactionId&gt;\w+-\w+-\w+-\w+-\w+)" | transaction transactionId | sort - Duration | table Duration actionName username</PRE> Tue, 31 May 2022 06:14:34 GMT https://community.splunk.com/t5/Splunk-Search/Why-is-Transaction-command-not-working-as-expected/m-p/599797#M208767 ITWhisperer 2022-05-31T06:14:34Z