Hi,
Do you mean that you want to put together the events with the same Ticket?
Do you have any element?
Following is an example:
2018-12-13 14:08:24,281 id-bbb End Ticket: 2
2018-12-13 14:07:24,281 id-bbb data3
2018-12-13 14:06:24,281 id-bbb data2
2018-12-13 14:05:24,281 id-bbb data1
2018-12-13 14:04:24,281 id-bbb Start Ticket: 2
2018-12-13 14:08:24,281 id-aaa End Ticket: 1
2018-12-13 14:07:24,281 id-aaa data3
2018-12-13 14:06:24,281 id-aaa data2
2018-12-13 14:05:24,281 id-aaa data1
2018-12-13 14:04:24,281 id-aaa Start Ticket: 1
If your events have elements like a "id-aaa", you can combine events using "transaction" command.
ex.
source="test.log" host="test01" sourcetype="test"
| rex field=_raw "(?ms)^[^,\\n]*,\\d+\\s+(?P<id>[^ ]+)"
| transaction host id startswith="Start" endswith="End"
Is my image correct?
... View more