| 编程 |
transaction content (Filtering transaction content – Question | Splunk Answers answers.splunk.com›answering/74608/view.html I have created a query that contains a transaction and it mostly works as expected. The unexpected part is that a couple of the returned transactions contain more than 500 lines and so is truncated. ... those may not be real transactions if they only contain the repeated content. By default, a transaction will only span 1000 events. (maxevents= parameter) So if you have a transaction that has 3000 events between the start and end, it will display as three transactions. (And each will be truncated in the display to 500 lines). Скрыть Moonranger) |
