Transaction on unique field reduces events?

salokin_ · ‎05-18-2020

Hello,
I don't understand the following behaviour and am looking for a solution. The following example is somewhat simplified, but still contains the "error"

(admission-controller.cc AND pool_name="*")
| stats dc(id)

> 28.635

The above code selects some events and counts the unique ids. In this case 28.635.

(admission-controller.cc AND pool_name="*")
| transaction id
| stats dc(id)

> 4.999

This code now uses transaction on id. In my understanding, as there are 28.635 different ids, the result of the second statement should be the same as the first one. But it isn't, it's less with 4999 instead. Could someone please explain why and offer a solution?

Best regards
Nikolas

salokin_ · ‎05-18-2020

solved it, with keepevicted=true it produces the same results.

The complete code of the second statement then looks like that:

(admission-controller.cc AND pool_name="*")
     | transaction id keepevicted=true
     | stats dc(id)

28635

Transaction on unique field reduces events?

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas

What Is the Name of the USB Key Inserted by Bob Smith? (BOTS Hint, Not the Answer)

Automating Threat Operations and Threat Hunting with Recorded Future

Join the Conversation

Transaction on unique field reduces events?

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas

What Is the Name of the USB Key Inserted by Bob Smith? (BOTS Hint, Not the Answer)

Automating Threat Operations and Threat Hunting with Recorded Future