Ok I found out more....I think I might have a memory or other environment issue.
When I retried this morning, I was actually able to see a table of multiple pair entries for each event (using the | table _time, pair command). However, on a second try, I could no longer see any pairs. And when I did a count by pair, it was only detecting the first pair again.
I restarted splunk and cleaned the index, then tried again, and this time splunkd crashed while running the first command above - but I can clearly see that multiple pairs came up per event in the results.
Before I restarted I also sa
... View more