2022-06-12 21:51:42.274 threadId=L4C9D6WIYK2K eventType="RESPONSE" data="<TestRQ>sometestdata</TestRQ>"
2022-06-12 21:51:41.274 threadId=L4C9D6WIYK2K eventType="REQUEST" data="<TestRQ>sometestdata</TestRQ>"
2022-06-12 21:51:40.274 threadId=L4C9D6WIYK2K eventType="HEADER" data="clientIP=101.121.22.11"

Hello Team,

I have the series of events as shown above and if you see one of the event having eventType="HEADER" I have clientIP in data field .

I need to fetch REQUEST and RESPONSE events based on clientIP mentioned in third event of HEADER. Common UNIQUEID between all 3 events is threadID , How can I achieve this in splunk query ?

new to splunk i am just good in basic searches.

index= test eventType="HEADER"  clientIP=101.121.22.11------>>  and pass on the threadID to fetch the eventType="REQUEST" eventType="RESPONSE"

@ITWhisperer