We have logs that do stuff like this:
message id=1
message id=2 parent=1
message id=2 parent=1
message id=3 parent=1
message id=5 parent=2
message id=5 parent=2
message id=6 parent=5
message id=6 parent=5
It's easy enough to do a subsearch that gets one level of relationship, but is there any way to search for all related messages recursively?
I believe in Splunk 4.1 you can do:
sourcetype=messages | eval f=id." ".parent | makemv f delim=" " | transaction f
but that the transaction
command in 4.0 and below won't do this.