I can group the correct events into a transaction using the transaction command but now I need to be able to narrow the result by a keywork in the group but I cannot get that right.
example
host=*** minutesago=5 | transunion startswith="START" endswith="END" "keyword"
When I add a keyword to the end of the query all I get is START and END grouped together and nothing else.
Any ideas?
Thanks
