It sounds like what you want is the transaction command: http://www.splunk.com/base/Documentation/latest/SearchReference/Transaction You would need to define a field that matches your session ID using perl-compatible regular expressions with either props.conf or the rex command, such as: YourSearch | rex field=_raw "\d\d,\d\d\d \d\d/\d\d (?<SessionID>\S*)" That will package all the lines for a particular user as one event, and give you access to things such as: YourSearch | rex field=_raw "\d\d,\d\d\d \d\d/\d\d (?<SessionID>\S*)" | search NetworkService.queryOutages to find only sessions that query network service outages or: YourSearch | rex field=_raw "\d\d,\d\d\d \d\d/\d\d (?<SessionID>\S*)" | search NetworkService.queryOutages Query.Result=Error to get sessions where they both queried network service outages and where one of the different actions they took had an error. You also get the duration field, which tells you how long the session lasted, and the eventcount field, which tells you how many individual lines were packaged into that transaction. If you're not familiar with PCRE syntax and rex/props.conf, you can run with what I put above, or start your search with the following: http://www.splunk.com/base/Documentation/latest/SearchReference/rex http://www.splunk.com/base/Documentation/latest/admin/Propsconf http://www.splunk.com/wiki/Community:RegexSyntaxInSplunk I hope that all is helpful. ... View more