https://community.splunk.com/t5/Splunk-Search/transaction-command-rows-for-large-dataset/m-p/747581#M241849 <P>The end goal is to find what was happening during the time between those two event ids, thank you for your help. I am very new to splunk so any thoughts on the best way to do that would be appreciated!</P> Thu, 05 Jun 2025 16:16:54 GMT N3gativeSpace 2025-06-05T16:16:54Z https://community.splunk.com/t5/Splunk-Search/transaction-command-rows-for-large-dataset/m-p/747577#M241846 <P>Here is my code:</P><PRE>index=example sourcetype=wineventlog computer_name="example"<BR />| transaction computer_name startswith="event_id=4732" endswith="event_id=4733" maxspan=15m mvraw=true mvlist=true<BR />| table _time, user.name, computer_name, event_id, _raw</PRE><P>&nbsp;I am trying to separate each event that occurs in order to get rid of fluff content such as "A security-enabled local group membership was enumerated." appearing hundreds of times. What would be the best way to do this? mvexpand has not worked for me so far.</P> Thu, 05 Jun 2025 15:50:41 GMT https://community.splunk.com/t5/Splunk-Search/transaction-command-rows-for-large-dataset/m-p/747577#M241846 N3gativeSpace 2025-06-05T15:50:41Z https://community.splunk.com/t5/Splunk-Search/transaction-command-rows-for-large-dataset/m-p/747579#M241847 <P><SPAN>"A security-enabled local group membership was enumerated." sounds like represented by a unique event_id. &nbsp;Get rid of them in the search. &nbsp;If there are specific key words/phrases that cannot be represented by event_id, the best is to use search term to eliminate. &nbsp;Finally, if there are feature words that are too hard to construct using search terms, you can use regex to eliminate.&nbsp;</SPAN></P><LI-CODE lang="markup">index=example sourcetype=wineventlog computer_name="example" NOT event_id IN (fluff_id1, fluff_id2, fluff_id3) NOT "fluff term1" NOT "fluff term2" NOT "fluff term3" | where NOT match(_raw, "fluff[r]egex1|fluf[f]regex2|fluf[fr]egex3")</LI-CODE><P>Not sure how transaction gets into the picture, however.</P> Thu, 05 Jun 2025 16:08:19 GMT https://community.splunk.com/t5/Splunk-Search/transaction-command-rows-for-large-dataset/m-p/747579#M241847 yuanliu 2025-06-05T16:08:19Z https://community.splunk.com/t5/Splunk-Search/transaction-command-rows-for-large-dataset/m-p/747580#M241848 <P>Hi&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/310725">@N3gativeSpace</a>&nbsp;</P><P>Do you only want&nbsp;&nbsp;event_id=4732 and event_id=4733?</P><P>If so I'd look at doing something like this</P><PRE>index=example sourcetype=wineventlog computer_name="example" event_id IN (4732,4733)<BR />| eval is{event_id}=1<BR />| stats sum(is4732) as count4732, sum(is4733) as count4733, values(user.name), earliest(_time) as startTime, latest(_time) as endTime, values(event_id) by computer_name <BR />| where count4732&gt;=1 AND count4733&gt;=1</PRE><P><span class="lia-unicode-emoji" title=":glowing_star:">🌟</span><SPAN>&nbsp;</SPAN><STRONG>Did this answer help you?</STRONG><SPAN>&nbsp;</SPAN>If so, please consider:</P><UL><LI>Adding karma to show it was useful</LI><LI>Marking it as the solution if it resolved your issue</LI><LI>Commenting if you need any clarification</LI></UL><P>Your feedback encourages the volunteers in this community to continue contributing</P> Thu, 05 Jun 2025 16:18:49 GMT https://community.splunk.com/t5/Splunk-Search/transaction-command-rows-for-large-dataset/m-p/747580#M241848 livehybrid 2025-06-05T16:18:49Z https://community.splunk.com/t5/Splunk-Search/transaction-command-rows-for-large-dataset/m-p/747581#M241849 <P>The end goal is to find what was happening during the time between those two event ids, thank you for your help. I am very new to splunk so any thoughts on the best way to do that would be appreciated!</P> Thu, 05 Jun 2025 16:16:54 GMT https://community.splunk.com/t5/Splunk-Search/transaction-command-rows-for-large-dataset/m-p/747581#M241849 N3gativeSpace 2025-06-05T16:16:54Z