I am a beginner in Splunk.
I have a log file with events related to the creation of some products, identified by ID1, ID2, ..., as in the sample below:
2014-08-27T09:44:33 created product with ID1
2014-08-27T09:44:34 Product ID1 handed off to Subsystem
2014-08-27T09:44:35 polling Subsystem for ID1
2014-08-27T09:44:36 created product with ID2
2014-08-27T09:44:37 polling Subsystem for ID1
2014-08-27T09:44:38 ID1 status - waiting
2014-08-27T09:44:38 Product ID2 handed off to Subsystem
2014-08-27T09:44:39 polling Subsystem for ID2
2014-08-27T09:44:40 ID2 status - waiting
2014-08-27T09:44:41 polling Subsystem for ID1
2014-08-27T09:44:42 polling Subsystem for ID2
2014-08-27T09:44:43 ID2 status - waiting
2014-08-27T09:44:44 ID1 status – waiting
2014-08-27T09:44:45 polling Subsystem for ID1
2014-08-27T09:44:46 polling Subsystem for ID2
2014-08-27T09:44:47 ID1 status - completed
2014-08-27T09:44:48 ID2 status – waiting
2014-08-27T09:44:49 polling Subsystem for ID2
2014-08-27T09:44:50 ID2 status – waiting
2014-08-27T09:44:51 polling Subsystem for ID2
2014-08-27T09:44:52 ID2 status – completed
Is it possible to create a transaction that contains only the events related to the same product identifier (e.g. only the lines that contains ID1)?
I don't know how to isolate the events by product ID in a transaction.
Thank you for any idea.
... View more