I am trying to match logs that do not have a common id between them. I'm trying to match a log that has the state ALARM with a log that is identical except the state is NORMAL. I am able to use grok to take apart my messages and get those states along with other identifying factors. However, there are usually many logs between a corresponding ALARM and NORMAL log and those logs in between may have their own ALARM and NORMAL states. I have been unable to find a similar approach to accomplish what I'm looking for.
The end result is to have an event that has a start and end time (ALARM log time and NORMAL log time). If I can provide other information that would be useful, please let me know. What steps should be taken to achieve this sort of matching or where should I be looking for more information?