Help with subsearch

mburbidg · ‎02-03-2012

I have two different kinds of events. I would like to relate the two. The first event looks like this.

[2012-02-02 20:17:51,931] INFO - sessionId=8AD487DD-DB3F-4C3E-AB9A-302ABF05E6FC code=NewsStandPushNotificationReceived externalSignInStatus=true

The second looks like this.

[2012-02-02 20:18:03,050] INFO - sessionId=8AD487DD-DB3F-4C3E-AB9A-302ABF05E6FC code=NewsStandPushCompleted startedBackgroundDownload=true

I would like to find all the sessionIds where startedBackgroundDownload=false from the second event and externalSignInStatus=true from the first event.

I think I would be able to do this with a subsearch, but nothing I've tried has resulted in anything but 0 matching events. Can anyone help me with a subsearch that would do what I need?

Damien_Dallimor · ‎02-03-2012

A transaction based on sessionID might a better solution :

yourinitialsearch | transaction sessionId startswith="externalSignInStatus=true" endswith="startedBackgroundDownload=false"

Help with subsearch

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Design, Compete, Win: Submit Your Best Splunk Dashboards for a .conf26 Pass

May 2026 Splunk Expert Sessions: Security & Observability

Network to App: Observability Unlocked [May & June Series]

Join the Conversation

Help with subsearch

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Design, Compete, Win: Submit Your Best Splunk Dashboards for a .conf26 Pass

May 2026 Splunk Expert Sessions: Security & Observability

Network to App: Observability Unlocked [May & June Series]