I have a few events, and I need to tie one of them (an event that happens later in my product's transaction) back to the first log of the transaction. The initial problem is that the last log has one type of ID number, and the first log has a different type of ID. I do, however, have an event that always happens in between and contains both ID number types. I would like to create a Splunk query transaction, but I need a little help. I already have the regex I need to extract the values once I can get a transaction
Working my way backwards, here is the final log of the three (I only want to net transactions that have this type of log), then collect the data from their respective first log. This log contains MID (the number following MID, before SPF):
Oct 26 12:44:59 10.x.x.x Splunk_PIApp_Mail_Logs_LVDC: Info: MID 90438452 SPF: mailfrom sender@company.com PermError (v=spf1)
Here is the in-between log that has both id numbers (the MID and the ICID):
Oct 26 12:44:59 10.x.x.x Splunk_PIApp_Mail_Logs_LVDC: Info: Start MID 90438452 ICID 113286802
and finally, here is the very first event which contains the ICID number, and the information I want:
Oct 26 12:44:59 10.x.x.x Splunk_PIApp_Mail_Logs_LVDC: Info: New SMTP ICID 113286802 interface DATAEXT1 (10.x.x.x) address 54.x.x.x reverse dns host sendingserver.sendingdomain.com verified yes
... View more