I am using the following splunk query

to combine the events in to one transaction based on the referenceid.
It works fine for most of the transactions ... but some transactions are grouped not based on matching referenceid
Kindly let me know what i am missing here..
Thanks in advance

index="xxxx" host="yyyy.local" referenceid | transaction startswith="SplunkLoggingStart" endswith="SplunkLoggingEnd" | convert ctime(_time) as TransactionTime

26 Jul 2017 11:16:00,833 [WARN ] {Route Executor 0} (Route.50.Filter.39) SplunkLoggingStart ReferenceId: f680f964-7057-3b9b-a5d6-f07767238e91

26 Jul 2017 11:16:00,955 [WARN ] {Route Executor 7} (Route.50.Filter.39) Step 1 InputRequest ReferenceId: f680f964-7057-3b9b-a5d6-f07767238e91

6 Jul 2017 11:15:58,127 [WARN ] {Route Executor 7} (Route.50.Filter.46) Step 4 OutputResponse ReferenceId: f680f964-7057-3b9b-a5d6-f07767238e91

26 Jul 2017 11:16:03,086 [WARN ] {Route Executor 3} (Route.50.Filter.46) SplunkLoggingEnd ReferenceId: f680f964-7057-3b9b-a5d6-f07767238e91