https://community.splunk.com/t5/Splunk-Search/Why-are-the-same-queries-getting-different-result/m-p/599850#M208799 <P>Hi</P> <P>I have exactly two SPL, same date range, one with "tracnsaction" command another wirhout it.</P> <P>as you see in picture without transaction timechart show correctly but with&nbsp;transaction last part missed!</P> <P>FYI: 1-I've check log file correctly indexed and available.</P> <P>2-pair of eachtransaction availabe in log in&nbsp; missing part.</P> <P>what happen here? any idea?</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="indeed_2000_0-1653987120971.png" style="width: 400px;"><img src="https://community.splunk.com/t5/image/serverpage/image-id/19869i215953FB0224A287/image-size/medium?v=v2&amp;px=400" role="button" title="indeed_2000_0-1653987120971.png" alt="indeed_2000_0-1653987120971.png" /></span></P> <P>&nbsp;</P> <P>Thanks</P> <P>&nbsp;</P> Tue, 31 May 2022 14:08:16 GMT indeed_2000 2022-05-31T14:08:16Z https://community.splunk.com/t5/Splunk-Search/Why-are-the-same-queries-getting-different-result/m-p/599850#M208799 <P>Hi</P> <P>I have exactly two SPL, same date range, one with "tracnsaction" command another wirhout it.</P> <P>as you see in picture without transaction timechart show correctly but with&nbsp;transaction last part missed!</P> <P>FYI: 1-I've check log file correctly indexed and available.</P> <P>2-pair of eachtransaction availabe in log in&nbsp; missing part.</P> <P>what happen here? any idea?</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="indeed_2000_0-1653987120971.png" style="width: 400px;"><img src="https://community.splunk.com/t5/image/serverpage/image-id/19869i215953FB0224A287/image-size/medium?v=v2&amp;px=400" role="button" title="indeed_2000_0-1653987120971.png" alt="indeed_2000_0-1653987120971.png" /></span></P> <P>&nbsp;</P> <P>Thanks</P> <P>&nbsp;</P> Tue, 31 May 2022 14:08:16 GMT https://community.splunk.com/t5/Splunk-Search/Why-are-the-same-queries-getting-different-result/m-p/599850#M208799 indeed_2000 2022-05-31T14:08:16Z https://community.splunk.com/t5/Splunk-Search/Why-are-the-same-queries-getting-different-result/m-p/599853#M208801 <P>Hi&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/217339">@indeed_2000</a>,</P><P>if you don't share your search and results I can only suppose something!</P><P>Anyway I think that the problem is that the transpose command uses as timestamp the first timestamp of the correlated events and probably all the events after 12.00 PM are in other grouped events.</P><P>But As I said it's difficoult withou&nbsp; viewing your events.</P><P>To be sure, see if in the grouped events there are evevnts after 12.00 PM.</P><P>Ciao.</P><P>Giuseppe</P> Tue, 31 May 2022 09:00:50 GMT https://community.splunk.com/t5/Splunk-Search/Why-are-the-same-queries-getting-different-result/m-p/599853#M208801 gcusello 2022-05-31T09:00:50Z https://community.splunk.com/t5/Splunk-Search/Why-are-the-same-queries-getting-different-result/m-p/599856#M208803 <P>transaction is limited to the number of open transactions it processes (see limits.conf) - you can override this with maxopentxns - this defaults to 5000 (hence only 4999 events). For example:</P><LI-CODE lang="markup">| transaction correlationfield maxopentxn=10000</LI-CODE><P>&nbsp;</P> Tue, 31 May 2022 09:11:21 GMT https://community.splunk.com/t5/Splunk-Search/Why-are-the-same-queries-getting-different-result/m-p/599856#M208803 ITWhisperer 2022-05-31T09:11:21Z