So, I have some error logs indexed in Splunk and I'm running a basic search looking for errors by their assigned number. The problem is that the error messages in the logs are broken up as multiple lines. The first line will look like "Error Occurred: # of the error" and the second will be a description of the error. They come into Splunk as two separate events.

Currently, my search returns the events that come from the first line. These are mostly useless. I want to also see the error descriptions, which will always be the immediate next event in the index. Is there a way to have Splunk do a search, return the results, and for each result also return the immediate next event?

I've been reading up on transaction but I have not been able to make it work. Transaction groups search results but the error description events are not results of the search. I can't include them in the search because they differ depending on the error. There aren't any shared attributes between all of the various error descriptions.

I want to be able to say "return these events AND the event directly after each of them no matter what those adjacent events are and it doesn't matter if they satisfy my search criteria". If this isn't possible, so be it, but I'd like to know that for certain. Please let me know if I can clarify in any way and thanks in advance for any replies!