The scenario:
We are ingesting F5 ASM application logs. When a user first hits the login page and attempts to log in, the keypair is: query_string="cmd=login&languageCd=ENG"
; additionally, the userid attribute is logged . If they enter in the wrong credentials, the query_string is changed to "cmd=login&languageCd=ENG&cmd=login&errorCode=105
" and the userid attribute is not present in the record. In both of these different records, the session_id is consistent.
I want to tie these two records using the session_id, so I can create a table that displays the usernames of people who failed to log in. Is there a way to do this with the "transaction" keyword? Thanks!
Yes, if the session_id
is unique to a user's session, you can use transaction
or stats
with a by session_id
clause.
| transaction session_id
OR
| stats values(user_id) by session_id