I am trying to figure out how to pull the data around the following event that matches on the second MID.
Tue May 31 14:16:21 2011 Info: MID 47539682 was generated based on MID 47539681 by notify-copy filter 'notify_subject_line'
The events associated with the second MID contains all of the relevant data that triggered this event. I am using the Cisco_esa_addon to handle the extractions so MID is getting extracted twice for this event. I created a another extraction to just extract the second MID as trigger_mid. Is it possible to use a transaction to match trigger_mid to mid or is this going to require a subsearch?
sourcetype=cisco_esa notify_subject_line | rex "based on MID (?<trigger_mid>\S+)"| transaction ???