Im very new to splunk. Could anyone please help me with the following issue?
I am in need to collect the details about the user for the Success Login attempts.
These success login attempts events are split up into 2 or 3 events with various details in each event. I want to group these two or three events by a transaction ID
If i give query like this "index=* sourcetype=* "Passed Login" | transaction TransactionID, I am getting results but which are limited to only 4999. (upto 5000). But im having more events. Why those events are not taken into account
If I use the parameter maxevents=2, then uniquetransaction with 3 events are getting omitted?