i am still confused after reading the reference
for example i fabricated some data
and search with "*|transaction host tag"
Splunk gave me 2 sets of events:
1 » 13-8-20 上午12:01:00.000
20130820 00:01:00 host=Sb tag=2 this is event5
20130820 00:02:00 tag=2 this is event6
20130821 00:02:00 host=Sa tag=2 this is event7
20130821 00:03:00 host=Sa this is event8
2 » 13-8-19 上午12:00:00.000
20130819 00:00:00 host=Sa this is event1
20130819 00:01:00 host=Sa tag=1 this is event2
20130819 00:02:00 tag=1 this is event3
20130820 00:03:00 host=Sb tag=1 this is event4
you can see that event1 and event8 are similar with a same field/value "host=Sa", but were put into different set what arguments can i use to force results contain both fields an exactly the same values?