My transactions consist of two fields named JOBID and SUBJOBID. A typical search result contains events like
JOBID=901031
JOBID=901031 SUBJOBID=441
JOBID=901031 SUBJOBID=640022429
SUBJOBID=441
SUBJOBID=640022429
JOBID=901031
JOBID=901031 SUBJOBID=472
JOBID=901031 SUBJOBID=740022431
SUBJOBID=472
SUBJOBID=740022431
JOBID=901031
How to use the transaction command to get all these events belonging to JOBID=901031 like shown above?
I've tried using the command transaction JOBID, SUBJOBID mvlist=true but splunk returned four Events and not the expected single one:
Transaction 1:
JOBID=901031
JOBID=901031 SUBJOBID=441
SUBJOBID=441
Transaction 2:
JOBID=901031 SUBJOBID=640022429
SUBJOBID=640022429
Transaction 3:
JOBID=901031
JOBID=901031 SUBJOBID=472
SUBJOBID=472
Transaction 4:
JOBID=901031 SUBJOBID=740022431
SUBJOBID=740022431
JOBID=901031
Maybe the following graphic illustrated my complex transaction topic a little less abstract. Shown here: three transactions within one log snippet (the red framed, the blue framed and the green framed). The red and green one have events related by SUBJOBIDS to the main transaction (JOBID). Going down the log, the transactions can be found nested into each other and furthermore there are events not belonging to any transaction -- just like in real (server log) life...
... View more