I have events that come in on a webform save action that logs the value pairs of all data elements. They look something like this.

06/21/2012 06:26:18 AM
LogName=Application
SourceName=WebAsset
EventCode=10001
EventType=4
Type=Information
ComputerName=dev-web
Category=0
CategoryString=none
RecordNumber=90606
Message=Message=Save
@objId=641
@user=Admin1
@rqstrName=James Doe
@alt1RqstrName=Jane Doe

objId is the key value for the records.

I am trying to display changes per objId over time, but only if there are changes.

sourcetype="WinEventLog:Application" "SourceName=WebAsset" | stats count as events by a_objId | eval include = if(events > 1,1,0) | search include=1 

This query works fine and returns all expected results and all fields are still available.

When I add transaction a_objId to the end, it returns zero results.

sourcetype="WinEventLog:Application" "SourceName=WebAsset" | stats count as events by a_objId | eval include = if(events > 1,1,0)  |  search include=1| transaction a_objId

Running this search shows multiple raw events for the objId still in the results.

sourcetype="WinEventLog:Application" "SourceName=WebAsset" a_objId=<value> | stats count as events by a_objId | eval include = if(events > 1,1,0) | search include=1

This search returns the desired results, just not filtered for for objIds with multiple events.

sourcetype="WinEventLog:Application" "SourceName=WebAsset" | transaction a_objId

Any ideas on what I am doing wrong here?