https://community.splunk.com/t5/Splunk-Search/How-do-you-find-consecutive-events-in-two-different-searches/m-p/401423#M116200 <P>You can use the <CODE>startswith</CODE> and <CODE>endswith</CODE> option as well.<BR /> So your transaction command should look something like <CODE>|transaction maxspan=5s startswith="some str 1" endswith = "some str 2"</CODE></P> Fri, 11 Jan 2019 04:59:01 GMT bangalorep 2019-01-11T04:59:01Z https://community.splunk.com/t5/Splunk-Search/How-do-you-find-consecutive-events-in-two-different-searches/m-p/401420#M116197 <P>Hi,</P> <P>This is a newbie question.</P> <P>I have two different searches. I want to combine the search results and only display a result where a certain event appears before another result.</P> <P>For e.g.</P> <P>Search1 : sourcetype=SourceType_A "Some str 1"<BR /> Search2 : sourcetype=SourceType_B "Some str 2"</P> <P>Result set should be:<BR /> Some str 2 <BR /> Some str 1</P> <P>So I want to show only those instances where "Some str 1" is followed by "Some str 2" and time gap in within say 3 secs.</P> Tue, 29 Sep 2020 22:44:05 GMT https://community.splunk.com/t5/Splunk-Search/How-do-you-find-consecutive-events-in-two-different-searches/m-p/401420#M116197 funnysage 2020-09-29T22:44:05Z https://community.splunk.com/t5/Splunk-Search/How-do-you-find-consecutive-events-in-two-different-searches/m-p/401421#M116198 <P>Hello,<BR /> You can use the transaction command. <BR /> So essentially a search like <CODE>(sourcetype=SourceType_A "Some str 1") OR (sourcetype=SourceType_B "Some str 2")</CODE> will get the events in the same search. <BR /> You can then use the <CODE>transaction</CODE> command based on whats common among the events and use the <CODE>maxspan</CODE> option to specify the time gap you want.<BR /> Here is the documentation for the transaction command <A href="https://docs.splunk.com/Documentation/Splunk/7.2.3/SearchReference/Transaction">https://docs.splunk.com/Documentation/Splunk/7.2.3/SearchReference/Transaction</A></P> Thu, 10 Jan 2019 09:33:28 GMT https://community.splunk.com/t5/Splunk-Search/How-do-you-find-consecutive-events-in-two-different-searches/m-p/401421#M116198 bangalorep 2019-01-10T09:33:28Z https://community.splunk.com/t5/Splunk-Search/How-do-you-find-consecutive-events-in-two-different-searches/m-p/401422#M116199 <P>Hi There,</P> <P>Thanks for the feedback.<BR /> I used this criteria: <CODE>(sourcetype=SourceType_A "Some str 1") OR (sourcetype=SourceType_B "Some str 2")|transaction maxspan=5s</CODE>.<BR /> Using this i was able to group together the series of events that i was interested in. However, i am getting some extra events. My output looks something like this:</P> <P>"Some str 1"<BR /> "Some str 1"<BR /> <STRONG>"Some str 1" &lt;- event group that i am interested. I wanted this group as the output.<BR /> "Some str 2"</STRONG><BR /> "Some str 1"</P> Thu, 10 Jan 2019 23:02:30 GMT https://community.splunk.com/t5/Splunk-Search/How-do-you-find-consecutive-events-in-two-different-searches/m-p/401422#M116199 funnysage 2019-01-10T23:02:30Z https://community.splunk.com/t5/Splunk-Search/How-do-you-find-consecutive-events-in-two-different-searches/m-p/401423#M116200 <P>You can use the <CODE>startswith</CODE> and <CODE>endswith</CODE> option as well.<BR /> So your transaction command should look something like <CODE>|transaction maxspan=5s startswith="some str 1" endswith = "some str 2"</CODE></P> Fri, 11 Jan 2019 04:59:01 GMT https://community.splunk.com/t5/Splunk-Search/How-do-you-find-consecutive-events-in-two-different-searches/m-p/401423#M116200 bangalorep 2019-01-11T04:59:01Z https://community.splunk.com/t5/Splunk-Search/How-do-you-find-consecutive-events-in-two-different-searches/m-p/401424#M116201 <P>Check out below thread. I had similar query resolved using transaction command</P> <P><A href="https://answers.splunk.com/answers/714361/how-do-you-group-start-and-end-times-from-a-set-of.html">https://answers.splunk.com/answers/714361/how-do-you-group-start-and-end-times-from-a-set-of.html</A></P> Fri, 11 Jan 2019 05:54:39 GMT https://community.splunk.com/t5/Splunk-Search/How-do-you-find-consecutive-events-in-two-different-searches/m-p/401424#M116201 nareshinsvu 2019-01-11T05:54:39Z https://community.splunk.com/t5/Splunk-Search/How-do-you-find-consecutive-events-in-two-different-searches/m-p/401425#M116202 <P>This works perfectly. Thanks.</P> Fri, 11 Jan 2019 06:04:29 GMT https://community.splunk.com/t5/Splunk-Search/How-do-you-find-consecutive-events-in-two-different-searches/m-p/401425#M116202 funnysage 2019-01-11T06:04:29Z