We are using a transaction to group web access events the Client IP and another field we extract (essentially filename, which is the entire "*.flv" at the end of the URL below). The transaction command looks like this
If you take the delta between the timestamps you get 10.646, which is exactly what Splunk reports as the 'duration' field. These events meet the Client IP/Filename grouping criteria, but exceed the specified maxpause value - why is Splunk combining these into a transaction? If it's simply not that granular about the time that's fine, we just need to understand how it's dealing with all the settings so we know what results to expect in various configurations.