Hello,
I need your help to correlation some transactions by a number of reference and responses Input and Output but the reponse Output can have many results.
I have the following query with splunk but I need only in the dashboard the transactions that you have response I or O in a cell.

index="x" source="MCB-S015-FILE-MONITOREO2-170919-000-ACYPGAMA.CBL" sourcetype="x" field_header=STD2 
| eval num_trans=code_serv_std2.subcodigo_serv_std2
| transaction num_trans  with mvlist=t startswith=(resp=*I) 
| search duration>=0
| eval first_mix=mvindex(mix, 0) 
| eval last_mix=mvindex(mix, -1) 
| eval hour1=mvindex(hora, 0)
| eval hour2=mvindex(hora, -1)
| eval version1=mvindex(pref_header_std2, 0)
| eval mod_serv_std2=mvindex(modalidad_serv, 0)
| eval first_duration = tostring(duration, "duration")
| eval mytime=strftime(_time, "%Y-%m-%d") 
| eval fecha=strftime(strptime(mytime,"%Y-%m-%d"),"%d/%m/%Y")
| eval first_hour=strftime(strptime(hour1,"%H%M%S%2N"),"%H:%M:%S.%2N")
| eval last_hour=strftime(strptime(hour2,"%H%M%S%2N"),"%H:%M:%S.%2N")
| eval num_tran=mvindex(num_trans, -1)
| table mix resp version1 first_mix last_mix fecha first_hour last_hour first_duration num_tran mod_serv_std2 app_dest_std2 app_origen_std2
| rename  mix as "MIX" fecha as "Fecha" first_hour as "Hora Inicio Respuesta" last_hour as "Hora Fin Respuesta" first_duration as "Duración de Respuesta (s)"
  num_tran as "ID de Transacción" mod_serv_std2 as "Modalidad De Servicio"  first_mix as "Mix Inicio" last_mix as "Mix Fin" app_dest_std2 as "Aplicación Destino" resp as "Respuesta" app_origen_std2 as "Aplicacion Origen" version1 as Version

Result of the Query

*But I only need in the dashboard the transactions that have an response **I and one or more O. I need to discard those that only have one Input
it's possible ?***