Brief Synopsis: I have a system that users log into and create a case, which moves around some data and does some processing of it. My goal is to have Splunk generate a report after each Case that will be sent to the user. Eventually I will trim down to only sending all the error entries in the report, but right now I would just like the report to be a listing of all the log entries in the index (there are several log files from different sub-systems feeding the index) that took place while the Case was running.

I have a search that is accurately creating transactions for each case:

index=EDS | transaction caseName maxspan=-1 maxpause=-1

That returns the following when run manually (when set as an alert it correctly triggers a separate email at the completion of each Case):

**6/12/12
1:02:10.000 PM

[06/12/2012 13:02:10 MainForm INFO ] - Case: TESTCASE02 Started at 1:02:10 PM with MAX_THREADS = 2
[06/12/2012 14:44:52 MainForm INFO ] - Case: TESTCASE02 Resolved at 2:44:52 PM

* source=D:\EDS\Logs\EDS.Client.log  * caseName=Case: TESTCASE02 

**6/12/12
11:59:17.000 AM

[06/12/2012 11:59:17 MainForm INFO ] - Case: TESTCASE01 Started at 11:59:17 AM with MAX_THREADS = 2
[06/12/2012 13:01:31 MainForm INFO ] - Case: TESTCASE01 Resolved at 1:01:31 PM

* source=D:\EDS\Logs\EDS.Client.log  * caseName=Case: TESTCASE01

I've tried all kinds of different ways to get all the entries between to show, but have been unsuccessful. I have also created 2 eventtypes: caseStart and caseFinish, that accurately pull out those same 2 entries. I thought that maybe I could use those as boundaries for a secondary search, but haven't been successful. Can anyone point me in the correct direction that I should be going to accomplish this task? Any help would be great, thanks!