Try grouping by 'msg', which contains a unique date/time and audit identifier for each set of log messages. For example:
eventtype=audit | transaction msg
Or, you can try doing what the *NIX app's built in rlog.sh does, and piping the audit log through "ausearch -i" to get human-readable output with one event per audit event. I'm trying to get this approach working, but there are some bugs in the shell script that I'm trying to fix. For more info about that, see this question.
... View more