Hello:
Not really answering my own question but just posting this as it may be useful to others facing the same issue.
"You have to have a common field to match on for the transaction command"
From: http://answers.splunk.com/answers/91742/grouping-of-similar-events
It looks like I may need to create a new field to use for the "transaction" to group on.
Using my example above, I may need to add a new field (let's call it "phase_name") that describes which "phase" of the program each event belongs to.
For example:
aaRegistration
...
... events during “aaRegistration” phase, all with datestamp
...
aaCalibration
I may need to add a new field where all events after
aaRegistration
have "phase_name" = "aaRegistration"
Then I may (hopefully) be able to retrieve the "aaRegistration" transaction by using the "phase_name" field.
... View more