We are ingesting F5 ASM application logs. When a user first hits the login page and attempts to log in, the keypair is: query_string="cmd=login&languageCd=ENG"; additionally, the userid attribute is logged . If they enter in the wrong credentials, the querystring is changed to "cmd=login&languageCd=ENG&cmd=login&errorCode=105" and the userid attribute is not present in the record. In both of these different records, the sessionid is consistent.
I want to tie these two records using the session_id, so I can create a table that displays the usernames of people who failed to log in. Is there a way to do this with the "transaction" keyword? Thanks!