Hi
I have logfiles where I have a start event and a stop event and I would like to search for all events between these two events. The start and stop event can repeat multiple times. Is that possible ? It would allow me to create a virtual session from start to stop.
Thank you
Markus
I think you should use the transaction command: http://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Transaction
With the "startswith" and "endswith" options, you should be able to do what you want.
| transaction startswith="startEvent" endswith="endEvent"
This should take any events between a starting event and an ending event, then group them together into transactions. I did something similar on my end recently to simulate user sessions on an internal server; transaction is a very useful command for this purpose!
I think you should use the transaction command: http://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Transaction
With the "startswith" and "endswith" options, you should be able to do what you want.
| transaction startswith="startEvent" endswith="endEvent"
This should take any events between a starting event and an ending event, then group them together into transactions. I did something similar on my end recently to simulate user sessions on an internal server; transaction is a very useful command for this purpose!
did you try the Transaction Command with startswith endswith options?