Hello everyone,

I'm having a hard time figuring this out.  I have a Search where I have created a Transaction in order to only display the "Create" events in a table.  This worked, but, I had to add a joiner in order to display a field from another search.  Since I did this, only the events that have values in the joiner field I used is displayed.

I need help with how can I still show all of the events from the Transaction even though they don't have values from the joiner I used.

Here's the Search I have created.  (I'm still learning all of the Search possibilities, so it might be ugly 🙂

(integrationName="Opsgenie Edge Connector - Splunk" alert.message = "STORE*" alert.message = "STORE*", alert.message != "*Latency" alert.message != "*Loss" action != "AddNote") OR (sourcetype="snow:incident" dv_opened_by=OPSGenieIntegration)
| transaction "alert.id", alert.message startswith=Create endswith=Close keepevicted=true
| where closed_txn=0
| eval joiner=if(integrationName="Opsgenie Edge Connector - Splunk", alertAlias, x_86994_opsgenie_alert_alias)
| stats values(*) as * by joiner
| where alertAlias==x_86994_opsgenie_alert_alias
| fields _time, alert.updatedAt, alert.message, alertAlias, alert.id, action, "alertDetails.Alert Details URL", _raw, closed_txn, _time, dv_number
| eval Created=strftime(_time,"%m-%d-%Y %H:%M:%S")
| rename alert.message AS "Branch"
| rename "alertDetails.Alert Details URL" as "Source Link"
| rename dv_number as Incident
| table Created, Branch, "Source Link", Incident
| sort by Created DESC

Thanks for any help on this one,

Tom