https://community.splunk.com/t5/Splunk-Search/How-to-use-transaction-command/m-p/136261#M37266 <P>Many thanks MuS. It worked when I have added up the keepevicted parameter.<BR /> Could you please explain in detail what it does?</P> <P>And now I guess I don't need to mention maxevents right? Because without maxevents its clubbing fine now.<BR /> Is this correct?</P> Thu, 27 Nov 2014 08:58:46 GMT splunkn 2014-11-27T08:58:46Z https://community.splunk.com/t5/Splunk-Search/How-to-use-transaction-command/m-p/136259#M37264 <P>Im very new to splunk. Could anyone please help me with the following issue?</P> <P>I am in need to collect the details about the user for the Success Login attempts.<BR /> These success login attempts events are split up into 2 or 3 events with various details in each event. I want to group these two or three events by a transaction ID</P> <P>Sample logs</P> <PRE><CODE>Passed Login &lt;0112233&gt; username=abc Passed Login &lt;0112233&gt; userage=20 Passed Login &lt;0112233&gt; userid=12345 </CODE></PRE> <P>Field extracted - <CODE>TransactionID = 0112233</CODE></P> <P>If i give query like this <CODE>"index=* sourcetype=* "Passed Login" | transaction TransactionID</CODE>, I am getting results but which are limited to only 4999. (upto 5000). But im having more events. Why those events are not taken into account</P> <P>If I use the parameter maxevents=2, then uniquetransaction with 3 events are getting omitted?</P> <P>How to done with the above ? Any ideas??</P> <P>Thanks in advance</P> Thu, 27 Nov 2014 07:07:25 GMT https://community.splunk.com/t5/Splunk-Search/How-to-use-transaction-command/m-p/136259#M37264 splunkn 2014-11-27T07:07:25Z https://community.splunk.com/t5/Splunk-Search/How-to-use-transaction-command/m-p/136260#M37265 <P>Hi splunkn,</P> <P>you are hitting a limit which is set in <CODE>limits.conf</CODE> related to <CODE>evicted</CODE> events. Use your search like this:</P> <PRE><CODE>index=* sourcetype=* "Passed Login" | transaction keepevicted=true TransactionID </CODE></PRE> <P>Regarding your problem 3 events or more per transaction being omitted; well if you use the <CODE>maxevents=2</CODE> option you will get back max 2 events. From the docs:</P> <PRE><CODE>maxevents=&lt;int&gt; Description: The maximum number of events in a transaction. If the value is negative this constraint is disabled. By default, maxevents=1000. </CODE></PRE> <P>Hope this helps ...</P> <P>cheers, MuS</P> Thu, 27 Nov 2014 08:08:54 GMT https://community.splunk.com/t5/Splunk-Search/How-to-use-transaction-command/m-p/136260#M37265 MuS 2014-11-27T08:08:54Z https://community.splunk.com/t5/Splunk-Search/How-to-use-transaction-command/m-p/136261#M37266 <P>Many thanks MuS. It worked when I have added up the keepevicted parameter.<BR /> Could you please explain in detail what it does?</P> <P>And now I guess I don't need to mention maxevents right? Because without maxevents its clubbing fine now.<BR /> Is this correct?</P> Thu, 27 Nov 2014 08:58:46 GMT https://community.splunk.com/t5/Splunk-Search/How-to-use-transaction-command/m-p/136261#M37266 splunkn 2014-11-27T08:58:46Z https://community.splunk.com/t5/Splunk-Search/How-to-use-transaction-command/m-p/136262#M37267 <P>take a look at the docs about the <CODE>transaction</CODE> command <A href="http://docs.splunk.com/Documentation/Splunk/6.2.0/SearchReference/Transaction">http://docs.splunk.com/Documentation/Splunk/6.2.0/SearchReference/Transaction</A> it has all the details </P> <P>Yes, you don't need maxevents.</P> Thu, 27 Nov 2014 09:02:18 GMT https://community.splunk.com/t5/Splunk-Search/How-to-use-transaction-command/m-p/136262#M37267 MuS 2014-11-27T09:02:18Z