I am using the following splunk query
to combine the events in to one transaction based on the referenceid.
It works fine for most of the transactions ... but some transactions are grouped not based on matching referenceid
Kindly let me know what i am missing here..
Thanks in advance
index="xxxx" host="yyyy.local" referenceid | transaction startswith="SplunkLoggingStart" endswith="SplunkLoggingEnd" | convert ctime(_time) as TransactionTime
26 Jul 2017 11:16:00,833 [WARN ] {Route Executor 0} (Route.50.Filter.39) SplunkLoggingStart ReferenceId: f680f964-7057-3b9b-a5d6-f07767238e91
26 Jul 2017 11:16:00,955 [WARN ] {Route Executor 7} (Route.50.Filter.39) Step 1 InputRequest ReferenceId: f680f964-7057-3b9b-a5d6-f07767238e91
6 Jul 2017 11:15:58,127 [WARN ] {Route Executor 7} (Route.50.Filter.46) Step 4 OutputResponse ReferenceId: f680f964-7057-3b9b-a5d6-f07767238e91
26 Jul 2017 11:16:03,086 [WARN ] {Route Executor 3} (Route.50.Filter.46) SplunkLoggingEnd ReferenceId: f680f964-7057-3b9b-a5d6-f07767238e91
... View more