Splunk Search

Recursive searches based on parent ids

Path Finder

We have logs that do stuff like this:

  message id=1
  message id=2 parent=1
  message id=2 parent=1
  message id=3 parent=1
  message id=5 parent=2
  message id=5 parent=2
  message id=6 parent=5
  message id=6 parent=5

It's easy enough to do a subsearch that gets one level of relationship, but is there any way to search for all related messages recursively?

Tags (2)

Splunk Employee
Splunk Employee

I believe in Splunk 4.1 you can do:

sourcetype=messages | eval f=id." ".parent | makemv f delim=" " | transaction f

but that the transaction command in 4.0 and below won't do this.

State of Splunk Careers

Access the Splunk Careers Report to see real data that shows how Splunk mastery increases your value and job satisfaction.

Find out what your skills are worth!