https://community.splunk.com/t5/Splunk-Search/Transaction-with-different-values-of-the-same-field/m-p/203944#M59260 <P>Thank you for the answer, i have updated my question, and with my current log, your query does not return 2 transactions. Can you take a quick look ?</P> Mon, 13 Jun 2016 13:59:14 GMT sieutruc 2016-06-13T13:59:14Z https://community.splunk.com/t5/Splunk-Search/Transaction-with-different-values-of-the-same-field/m-p/203940#M59256 <P>Hello,</P> <P>I have the log like below :</P> <PRE><CODE>Jun 13 10:18:59 Debug: IID 917966106 done Jun 13 10:18:59 Debug: IID 917967047 action 2 Jun 13 10:18:59 Debug: IID 917967047 action 1 Jun 13 10:18:58 Debug: IID 917966106 rewritten to IID 917967047 by engine1 Jun 13 10:18:58 Debug: IID 917966106 action 2 Jun 13 10:18:58 Debug: IID 917966106 action 1 Jun 13 10:18:58 Debug: IID 917966106 start Jun 13 10:18:56 Debug: IID 817966106 done Jun 13 10:18:56 Debug: IID 817966106 action 2 Jun 13 10:18:56 Debug: IID 817966106 action 1 Jun 13 10:18:56 Debug: IID 817966106 start </CODE></PRE> <P>I want to group into 2 transaction, normally i can use :</P> <PRE><CODE>index=X | rex field=_raw "Debug: IID (?\d+)" | transaction IID startswith="start" endswith="done" </CODE></PRE> <P>But the problem is for the second transaction, the field <CODE>IID</CODE> has 2 values ( <CODE>917966106</CODE> and <CODE>917967047</CODE> ) but they belong to the same transaction.</P> <P>Can you know how to create a transaction in this case, one containing 4 events and other containing 7 events ?</P> <P>i would appreciate any idea !</P> <P>UPDATE after the good answer of @sundareshr : my log looks actually like </P> <PRE><CODE>Jun 13 10:18:59 Debug: IID 917966106 done Jun 13 10:18:56 Debug: RID 23789 stop Jun 13 10:18:59 Debug: IID 917967047 action 2 Jun 13 10:18:59 Debug: IID 917967047 action 1 Jun 13 10:18:58 Debug: IID 917966106 rewritten to IID 917967047 by engine1 Jun 13 10:18:58 Debug: IID 917966106 action 2 Jun 13 10:18:58 Debug: IID 917966106 action 1 Jun 13 10:18:58 Debug: IID 917966106 start Jun 13 10:18:58 Debug: RID 23789 IID 917966106 created Jun 13 10:18:58 Debug: RID 23789 start details: start connection Jun 13 10:18:56 Debug: IID 817966106 done Jun 13 10:18:56 Debug: RID 12345 stop Jun 13 10:18:56 Debug: IID 817966106 action 2 Jun 13 10:18:56 Debug: IID 817966106 action 1 Jun 13 10:18:56 Debug: RID 12345 IID 817966106 created Jun 13 10:18:56 Debug: RID 12345 start details: start connection </CODE></PRE> <P>when i tried</P> <PRE><CODE>index=X | rex field=_raw "Debug: IID (?\d+)" | rex field=_raw "Debug: RID (?\d+)" |rex field=_raw "rewritten to IID (?\d+)" | eventstats first(newid) as newid) by IID | eval IID=if((isnull(newid), IID, newid) | transaction IID RID startswith="start" endswith="done" </CODE></PRE> <P>It does not give the 2 transaction ( 6 events and 10 events)<BR /> Can you give me a help again pls ?</P> Mon, 13 Jun 2016 11:20:26 GMT https://community.splunk.com/t5/Splunk-Search/Transaction-with-different-values-of-the-same-field/m-p/203940#M59256 sieutruc 2016-06-13T11:20:26Z https://community.splunk.com/t5/Splunk-Search/Transaction-with-different-values-of-the-same-field/m-p/203941#M59257 <P>Is the problem that you have two IIDs so that messes things up?</P> <P>Do you want to use the LAST IID or the FIRST IID? Basically, is the above list you wrote two transactions, one for 917966106 with <STRONG>9</STRONG> events and one for 917967047 with <STRONG>3</STRONG> events, or is it two transactions one for 917966106 with <STRONG>10</STRONG> events and one for 917967047 with <STRONG>2</STRONG> events (i.e. does the line with two get included in the ...106 transaction or the ...047 transaction?</P> Mon, 13 Jun 2016 11:51:25 GMT https://community.splunk.com/t5/Splunk-Search/Transaction-with-different-values-of-the-same-field/m-p/203941#M59257 Richfez 2016-06-13T11:51:25Z https://community.splunk.com/t5/Splunk-Search/Transaction-with-different-values-of-the-same-field/m-p/203942#M59258 <P>one transaction is 917966106 and 917967047 , and other one is 817966106. 917967047 is rewritten from 917966106 but both are in the same transaction. So first transaction contain 4 events and other contains 7 events.</P> Mon, 13 Jun 2016 12:06:02 GMT https://community.splunk.com/t5/Splunk-Search/Transaction-with-different-values-of-the-same-field/m-p/203942#M59258 sieutruc 2016-06-13T12:06:02Z https://community.splunk.com/t5/Splunk-Search/Transaction-with-different-values-of-the-same-field/m-p/203943#M59259 <P>Try this</P> <PRE><CODE> index=X | rex field=_raw "Debug: IID (?&lt;IID&gt;\d+)" |rex field=_raw "rewritten to IID (?&lt;newId&gt;\d+)" | eventstats first(newid) as newid) by IID | eval IID=if((isnull(newid), IID, newid) | transaction IID startswith="start" endswith="done" </CODE></PRE> Mon, 13 Jun 2016 13:09:52 GMT https://community.splunk.com/t5/Splunk-Search/Transaction-with-different-values-of-the-same-field/m-p/203943#M59259 sundareshr 2016-06-13T13:09:52Z https://community.splunk.com/t5/Splunk-Search/Transaction-with-different-values-of-the-same-field/m-p/203944#M59260 <P>Thank you for the answer, i have updated my question, and with my current log, your query does not return 2 transactions. Can you take a quick look ?</P> Mon, 13 Jun 2016 13:59:14 GMT https://community.splunk.com/t5/Splunk-Search/Transaction-with-different-values-of-the-same-field/m-p/203944#M59260 sieutruc 2016-06-13T13:59:14Z https://community.splunk.com/t5/Splunk-Search/Transaction-with-different-values-of-the-same-field/m-p/203945#M59261 <P>Try this</P> <PRE><CODE>| rex "RID\s?(?&lt;rid&gt;\d+)" | rex max_match=2 "IID\s?(?&lt;iid&gt;\d+)" | rex "(?&lt;action&gt;start|done)" | eval newid=mvindex(iid, 1) | eval iid=mvindex(iid, 0) | eventstats first(newid) as newids by iid | eval iids=if(isnull(newids), iid, newids) | eventstats first(iids) as iids by rid | transaction iids </CODE></PRE> Mon, 13 Jun 2016 15:01:44 GMT https://community.splunk.com/t5/Splunk-Search/Transaction-with-different-values-of-the-same-field/m-p/203945#M59261 sundareshr 2016-06-13T15:01:44Z https://community.splunk.com/t5/Splunk-Search/Transaction-with-different-values-of-the-same-field/m-p/203946#M59262 <P>Try this:</P> <PRE><CODE> index=X | rex field=_raw "Debug: IID (?&lt;origIID&gt;\d+)(?:\s+rewritten to IID (?&lt;newIID&gt;\d+))?" | eval newIID=coalesce(newIID, origIID) | eventstats latest(newIID) AS finalIID BY origIID | transaction finalIID </CODE></PRE> <P>BTW, transaction is a very expensive way to do this, I would swap the last line above with this one:</P> <PRE><CODE>| stats list(_time) list(_raw) BY finalIID </CODE></PRE> <P>Or maybe even this:</P> <PRE><CODE>| stats values(*) AS * values(_*) AS _* BY finalIID </CODE></PRE> Tue, 14 Jun 2016 15:31:00 GMT https://community.splunk.com/t5/Splunk-Search/Transaction-with-different-values-of-the-same-field/m-p/203946#M59262 woodcock 2016-06-14T15:31:00Z