Splunk Search

Transaction on unique field reduces events?

salokin_
Engager

Hello,
I don't understand the following behaviour and am looking for a solution. The following example is somewhat simplified, but still contains the "error"

(admission-controller.cc AND pool_name="*")
| stats dc(id)

> 28.635

The above code selects some events and counts the unique ids. In this case 28.635.

(admission-controller.cc AND pool_name="*")
| transaction id
| stats dc(id)

> 4.999

This code now uses transaction on id. In my understanding, as there are 28.635 different ids, the result of the second statement should be the same as the first one. But it isn't, it's less with 4999 instead. Could someone please explain why and offer a solution?

Best regards
Nikolas

0 Karma

salokin_
Engager

solved it, with keepevicted=true it produces the same results.

The complete code of the second statement then looks like that:

(admission-controller.cc AND pool_name="*")
     | transaction id keepevicted=true
     | stats dc(id)

28635

0 Karma
Get Updates on the Splunk Community!

Optimize Cloud Monitoring

  TECH TALKS Optimize Cloud Monitoring Tuesday, August 13, 2024  |  11:00AM–12:00PM PST   Register to ...

What's New in Splunk Cloud Platform 9.2.2403?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.2.2403! Analysts can ...

Stay Connected: Your Guide to July and August Tech Talks, Office Hours, and Webinars!

Dive into our sizzling summer lineup for July and August Community Office Hours and Tech Talks. Scroll down to ...