https://community.splunk.com/t5/Splunk-Search/Pair-events-4778-amp-4779/m-p/579623#M201966 <P>How do I pair events 4778 &amp; 4779 for the same Logon_ID when I have multi 4778 and multi 4779?<BR />I would like to pair the first 4779 event (disconnect) with the first 4778 event (reconnect) and than do the same for the second 4779 event with the second 4778 event etc'</P> Thu, 30 Dec 2021 17:10:15 GMT eranhauser 2021-12-30T17:10:15Z https://community.splunk.com/t5/Splunk-Search/Pair-events-4778-amp-4779/m-p/579623#M201966 <P>How do I pair events 4778 &amp; 4779 for the same Logon_ID when I have multi 4778 and multi 4779?<BR />I would like to pair the first 4779 event (disconnect) with the first 4778 event (reconnect) and than do the same for the second 4779 event with the second 4778 event etc'</P> Thu, 30 Dec 2021 17:10:15 GMT https://community.splunk.com/t5/Splunk-Search/Pair-events-4778-amp-4779/m-p/579623#M201966 eranhauser 2021-12-30T17:10:15Z https://community.splunk.com/t5/Splunk-Search/Pair-events-4778-amp-4779/m-p/579707#M201992 <P>Sounds like you are looking for&nbsp;<A href="https://docs.splunk.com/Documentation/Splunk/8.2.0/SearchReference/Transaction" target="_blank">transaction</A>. &nbsp;Something like</P><LI-CODE lang="markup">| transaction Logon_ID startswith=Event_ID==4778 endswith=Event_ID==4779</LI-CODE> Sat, 01 Jan 2022 05:38:11 GMT https://community.splunk.com/t5/Splunk-Search/Pair-events-4778-amp-4779/m-p/579707#M201992 yuanliu 2022-01-01T05:38:11Z