Yes it's possible. Use the "transaction" command.
source="/opt/cq5/instance_1/logs/access.log" | transaction maxpause=4m keepevicted=true ThreadId host maxevents=2
The above statement
looks for a maximum of 2 events (maxevent=2) to form one row
it looks at a 4 minute window between the two events (maxpause=4m)
matches the two events by comparing the host and "ThreadId"
The "ThreadId" is a custom field extraction that picks out the unique number in the square brackets 'eg [1638]' in your example:
EXTRACT-ThreadId Inline (?i)^[^\+]*\+\d+\s+\[(?P<ThreadId>[^\]]+)]\s+[<-][>-]
Hope that helps
... View more