I have a search defining a Transaction across (2) different log files. The problem is that some fields (not all) are missing in the results when using the transaction command. When I search for the events in the individual logs, the fields are present. Any ideas? These are all FIELD=VALUE.
I ran in to the same issue, and after unsuccessfully trying to wrap my head around why Splunk sometimes "forgets" some of its field extractions when transaction is used I reverted to just rex extracting them from _raw after transaction and joined them. Not the prettiest of solutions, but it was the only way I was getting it to work.
Are you using startswith
and endswith
? If so you might be evicting unclosed transactions so add keepevicted=t
.
I am noticing this problem too. When I search for the first event in my transaction, I see 100% of them with the dest
field. When I transact them together with a few nearby log entries that do not have dest
fields, ... SOME transactions have dest
, some do not.
Are they still missing if you use |fields and specify that field? (I'd guess yes, but don't know.)