That was giving me some interesting hints, thanks. Unfortunately, the selfjoin comman doesn't support anything else than joining by a single field.
So I tried to get a field, which contains the same value in both results after the 'transaction PID', like this:
searchterm | transaction PID | eval TRANS_UID=if(len(ORIG_UID)>0,ORIG_UID,UID)
Now piping this to selfjoin results in showing only the first event of the 'transaction PID' command... Using transaction TRANS_UID results in what I've noted in the comment above:
Splunk reports one matching event but doesn't show anything.
Any ideas?
... View more