I am getting an inconsistent number of events in a transaction, relative to the value specified for `maxevents=x`:
`| transaction ComputerName startswith=(EventCode=1100) maxevents=x`
Here are the eventcounts for each ComputerName where x=[10, 20, 30, 40]:
`_________ x = 10_____20_____30_____40`
`Computer1......3......3.....13.....23`
`Computer2......5......5......5.....25`
`Computer3......5.....15.....15.....15`
`Computer4......6......6.....26.....26`
`Computer5.....10.....20.....30.....20`
`Computer6......4.....14.....14.....14`
`Computer7......6.....16.....16.....36`
Using maxspan and not maxevents consistently produces the expected results (verified by comparing the transaction'ed events to the list of raw events).
**QUESTIONS:** All computer have more than ten events that could be included in a transaction that starts with `EventCode=1100`, so why are there less than 10 events included in the transaction when `maxevents=10`? Shouldn't the transaction include (i.e. eventcount) up to then maxevent value when possible?
Why does the eventcount jump up inconsistently when `maxevents` is changed to different values?
Why does the eventcount for Computer5 actually *decrease* from 30 to 20 when maxevents is *increased* to 40?
↧