So I'm trying to build a transaction based on events I am getting from a log. I'm struggling how to set the transaction command to look for the "jobname" and grab all the events between a "Job started" event and "Job ended" event. this can vary from 2 to 12 unique event logs. So how can I tell Splunk whenever you see a "Job started" in the event, create a transaction including the events all the way up to a "Job ended" event?
|transaction jobname ?????
based on the example, jobname = "JobName ABC" (created with regex)
(event 5)Informational May 24, 2019 2:42:47 PM CDT Transaction "JobName ABC": Job ended
(event 4)....
(event 3)....
(event 2)....
(event 1)Informational May 24, 2019 2:40:17 PM CDT Transaction "JobName ABC": Job started
Thanks for any help. Joe
Try this:
| transaction jobname startswith="Job started" endswith="Job ended"