Splunk Search

Recursive searches based on parent ids

Path Finder

We have logs that do stuff like this:

  message id=1
  message id=2 parent=1
  message id=2 parent=1
  message id=3 parent=1
  message id=5 parent=2
  message id=5 parent=2
  message id=6 parent=5
  message id=6 parent=5

It's easy enough to do a subsearch that gets one level of relationship, but is there any way to search for all related messages recursively?

Tags (2)

Splunk Employee
Splunk Employee

I believe in Splunk 4.1 you can do:

sourcetype=messages | eval f=id." ".parent | makemv f delim=" " | transaction f

but that the transaction command in 4.0 and below won't do this.