My search is partially working in the aspect that it returns event data, however all of the events are mashed into one and the duration is calculated off the first event and the last event.
Search Command:
(index=jjj host=server OR host=server2 (inbound OR outbound)) | xmlkv | table _time, host, TokenId, inbound, outbound, _raw | transaction TokenId | search TokenId="$tokenId$"
I would like to the returned data to show each event as they occur or inbound event and outbound event for 1 duration time. Then move on to the next event and so on.
jb
Adding maxspan and maxpause to the transaction resolved the problem.
Don't use the transaction command, then. It might also be helpful if you explained your data a little more. What do you mean "for 1 duration time"? What exactly do you want the output to look like?
In the meantime, I suggest this:
(index=jjj host=server OR host=server2 (inbound OR outbound)) "$tokenId$"
| xmlkv
| search TokenId="$tokenId$"
| table _time, host, TokenId, inbound, outbound, _raw