https://community.splunk.com/t5/Splunk-Search/Group-together-events-that-do-not-have-a-common-field-values/m-p/219274#M188047 <P>Do you mean creating a new field and have that in all events that should comprise a transaction with a same value? I would have tried doing that, but the challenge here seems to be what value would I populate the mock field with? In the case above, I would then need to have dummy values that change for every group of common events that would define a transaction. The boundary events that define the start and end of the transaction would always be the same (of course apart from the timestamp field). Also to be noted that there can any number of events between the 2 boundary events.</P> Thu, 05 Nov 2015 10:16:16 GMT nitishnair123 2015-11-05T10:16:16Z https://community.splunk.com/t5/Splunk-Search/Group-together-events-that-do-not-have-a-common-field-values/m-p/219272#M188045 <P>I have a log file from which I am pasting a particular group of events as below:</P> <P>EAITransport EAITransportDebug 4 00000229560a1489:0 2015-09-30 14:26:23 Invoking JMS Java method Receive<BR /> ObjMgrBusServiceLog InvokeMethod 4 00000229560a1489:0 2015-09-30 14:26:23 Begin: Business Service 'EAI JMS Java Business Service Caller' invoke method: 'Receive' at 982c218<BR /> EAITransport EAITransportDebug 4 00000229560a1489:0 2015-09-30 14:26:23 Begin Creating instance of java property set<BR /> EAITransport EAITransportDebug 4 00000229560a1489:0 2015-09-30 14:26:23 Begin copying properties and type<BR /> EAITransport EAITransportDebug 4 00000229560a1489:0 2015-09-30 14:26:23 Finished copying properties and type<BR /> EAITransport EAITransportDebug 4 00000229560a1489:0 2015-09-30 14:26:23 Finished copying value<BR /> EAITransport EAITransportDebug 4 00000229560a1489:0 2015-09-30 14:26:23 End Creating instance of java property set<BR /> EAITransport EAITransportDebug 4 00000229560a1489:0 2015-09-30 14:27:43 Business Service Invoke Complete<BR /> EAITransport EAITransportDebug 4 00000229560a1489:0 2015-09-30 14:27:43 Begin Creating instance of output property set<BR /> EAITransport EAITransportDebug 4 00000229560a1489:0 2015-09-30 14:27:43 Finished copying properties<BR /> EAITransport EAITransportDebug 4 00000229560a1489:0 2015-09-30 14:27:43 Finished copying type<BR /> EAITransport EAITransportDebug 4 00000229560a1489:0 2015-09-30 14:27:43 Finished copying value<BR /> EAITransport EAITransportDebug 4 00000229560a1489:0 2015-09-30 14:27:43 End Creating instance of output property set<BR /> ObjMgrBusServiceLog InvokeMethod 4 00000229560a1489:0 2015-09-30 14:27:43 Business Service 'EAI JMS Java Business Service Caller' invoke method 'Receive' Execute Time: 80.016 seconds.<BR /> ObjMgrBusServiceLog InvokeMethod 4 00000229560a1489:0 2015-09-30 14:27:43 End: Business Service 'EAI JMS Java Business Service Caller' invoke method: 'Receive' at 982c218<BR /> EAITransport EAITransportDebug 4 00000229560a1489:0 2015-09-30 14:27:43 Invoking JMS Java method Commit<BR /> ObjMgrBusServiceLog InvokeMethod 4 00000229560a1489:0 2015-09-30 14:27:43 Begin: Business Service 'EAI JMS Java Business Service Caller' invoke method: 'Commit' at 982c218<BR /> EAITransport EAITransportDebug 4 00000229560a1489:0 2015-09-30 14:27:43 Begin Creating instance of java property set<BR /> EAITransport EAITransportDebug 4 00000229560a1489:0 2015-09-30 14:27:43 Begin copying properties and type<BR /> EAITransport EAITransportDebug 4 00000229560a1489:0 2015-09-30 14:27:43 Finished copying properties and type<BR /> EAITransport EAITransportDebug 4 00000229560a1489:0 2015-09-30 14:27:43 Finished copying value<BR /> EAITransport EAITransportDebug 4 00000229560a1489:0 2015-09-30 14:27:43 End Creating instance of java property set<BR /> EAITransport EAITransportDebug 4 00000229560a1489:0 2015-09-30 14:27:43 Business Service Invoke Complete<BR /> EAITransport EAITransportDebug 4 00000229560a1489:0 2015-09-30 14:27:43 Begin Creating instance of output property set<BR /> EAITransport EAITransportDebug 4 00000229560a1489:0 2015-09-30 14:27:43 Finished copying properties<BR /> EAITransport EAITransportDebug 4 00000229560a1489:0 2015-09-30 14:27:43 Finished copying type<BR /> EAITransport EAITransportDebug 4 00000229560a1489:0 2015-09-30 14:27:43 Finished copying value<BR /> EAITransport EAITransportDebug 4 00000229560a1489:0 2015-09-30 14:27:43 End Creating instance of output property set<BR /> ObjMgrBusServiceLog InvokeMethod 4 00000229560a1489:0 2015-09-30 14:27:43 Business Service 'EAI JMS Java Business Service Caller' invoke method 'Commit' Execute Time: 0.008 seconds.<BR /> ObjMgrBusServiceLog InvokeMethod 4 00000229560a1489:0 2015-09-30 14:27:43 End: Business Service 'EAI JMS Java Business Service Caller' invoke method: 'Commit' at 982c218<BR /> ObjMgrBusServiceLog InvokeMethod 4 00000229560a1489:0 2015-09-30 14:27:43 Business Service 'EAI JMS Transport' invoke method 'ReceiveDispatch' Execute Time: 80.025 seconds.</P> <P>These events may occur multiple times with the below pattern observed in sequence in which these events occur:</P> <P>This event will always come at the beginning of the group -&gt; <BR /> EAITransport EAITransportDebug 4 xxxxxxxxxxxxxxxx:0 xxxx-xx-xx xx:xx:xx Invoking JMS Java method Receive<BR /> This event will always mark the end of the group -&gt; <BR /> ObjMgrBusServiceLog InvokeMethod 4 xxxxxxxxxxxxxxxx:0 xxxx-xx-xx xx:xx:xx Business Service 'EAI JMS Transport' invoke method 'ReceiveDispatch' Execute Time: xx.xxx seconds.</P> <P>The aim is to be able to group all these events (that lie between and including the 2 boundary events) together.<BR /> I have tried using 'transaction', but from what I understand, that would need some unique field-value in each of these events that are to be grouped together. In this case, there doesn't seem to be any. Wondering if there is any way to achieve this.</P> Thu, 05 Nov 2015 09:09:36 GMT https://community.splunk.com/t5/Splunk-Search/Group-together-events-that-do-not-have-a-common-field-values/m-p/219272#M188045 nitishnair123 2015-11-05T09:09:36Z https://community.splunk.com/t5/Splunk-Search/Group-together-events-that-do-not-have-a-common-field-values/m-p/219273#M188046 <P>have you tried creating a mock-up field before building your transactions? </P> Thu, 05 Nov 2015 09:50:38 GMT https://community.splunk.com/t5/Splunk-Search/Group-together-events-that-do-not-have-a-common-field-values/m-p/219273#M188046 asimagu 2015-11-05T09:50:38Z https://community.splunk.com/t5/Splunk-Search/Group-together-events-that-do-not-have-a-common-field-values/m-p/219274#M188047 <P>Do you mean creating a new field and have that in all events that should comprise a transaction with a same value? I would have tried doing that, but the challenge here seems to be what value would I populate the mock field with? In the case above, I would then need to have dummy values that change for every group of common events that would define a transaction. The boundary events that define the start and end of the transaction would always be the same (of course apart from the timestamp field). Also to be noted that there can any number of events between the 2 boundary events.</P> Thu, 05 Nov 2015 10:16:16 GMT https://community.splunk.com/t5/Splunk-Search/Group-together-events-that-do-not-have-a-common-field-values/m-p/219274#M188047 nitishnair123 2015-11-05T10:16:16Z https://community.splunk.com/t5/Splunk-Search/Group-together-events-that-do-not-have-a-common-field-values/m-p/219275#M188048 <P>hummm, if the timestamp is the same, maybe you could use _time as that field, or a mockup field that may contain that _time value..... I cannot be sure, as I never faced that situation. It may worth trying?</P> Thu, 05 Nov 2015 10:48:58 GMT https://community.splunk.com/t5/Splunk-Search/Group-together-events-that-do-not-have-a-common-field-values/m-p/219275#M188048 asimagu 2015-11-05T10:48:58Z https://community.splunk.com/t5/Splunk-Search/Group-together-events-that-do-not-have-a-common-field-values/m-p/219276#M188049 <P>Thanks asimagu...but the timestamp will vary as and when these events get logged in the log file in sequence.</P> Thu, 05 Nov 2015 11:11:03 GMT https://community.splunk.com/t5/Splunk-Search/Group-together-events-that-do-not-have-a-common-field-values/m-p/219276#M188049 nitishnair123 2015-11-05T11:11:03Z