After using transactions my "raw" field looks something like this. I want to limit the amount of rows captured by transaction to be not more than 2?
Is there anyway I can add to my query now
| transaction startswith=TestResult="Start"
raw |
4015_ABCD, Start, 8/11/2020 5:37:10 PM, 12345 4015_ABCD, Complete, 8/11/2020 5:37:30 PM, 12345 |
4015_ABCD, Start, 8/12/2020 10:23:34 AM, 12345 |
1113_EFGH, Start, 8/12/2020 12:00:00 PM, 67890 1113_EFGH, Complete, 8/12/2020 1:00:00 PM, 67890 1119_EFGH, Complete, 8/12/2020 2:00:00 PM, 67890 |
Hi @moinyuso96,
as you can see in the documentation (https://docs.splunk.com/Documentation/Splunk/8.2.0/SearchReference/Transaction), it's possible to define the maximum number of events to correlate using "maxevents" option.
Ciao.
Giuseppe
Hi @moinyuso96,
as you can see in the documentation (https://docs.splunk.com/Documentation/Splunk/8.2.0/SearchReference/Transaction), it's possible to define the maximum number of events to correlate using "maxevents" option.
Ciao.
Giuseppe