Hi guys,
I am new to splunk. I have multiple events that looks like this:
- 2020-02-07 07:21:20 action_time="2020-01-02 07:21:20.39", id_client="1234", ticket="1",
- 2020-02-07 07:21:20 action_time="2020-01-02 07:22:20.39", id_client="4567", ticket="2"
- 2020-02-07 07:21:20 action_time="2020-01-02 07:23:20.39", id_client="1234", ticket="2"
- ...
I would like to see transaction like this:
in All events, find the first event where id_client = "1234" and ticket="1". If match, find next event with the same id_client, but the ticket= "2".
so, for the same client, find first ticket=1, following after the ticket=2.
I tried with: ...| transaction action startwith='1' endwith='2' but it does not work
how can we do this in splunk ?
I thank you i advance,
↧