Hi,

Essentially, I am trying to join 2 or 3 log entries together linking them by a yet to be determined value (session ID) where the field I am searching for is not in every entry I am looking for.

Breakdown:

One Log Entry (AuthRs)
- has sessionID that links the two entries
- has a field value that I know of beforehand (UID)
- has other field values that I need (status)

Second Log Entry (One of 2 entries - either AuthRq or AuthRt - one of the two will exist)

- has the sessionID
- doesn't have UID
- has other field values I need (IP Address, UserAgent)

Pseudo search:

1 index=a sourcetype=a "AuthRs" UID=abc
2 | table _time, UID, status, sessionID
3 | join sessionID [ search sourcetype=a "AuthRq" OR "AuthRt" (need to pass sessionID from search here somehow) ]
4 | table _time, UID, status, sessionID, IPAddress, useragent (final table of values I want)

I've also tried a search like this:

Pseudo search 2
index=a sourcetype=a (UID=123 AND "AuthRs") OR "AuthRs" OR "AuthRt"
| stats list(_time) list(UID) list(status) list(IPAddress) list(userAgent) by sessionID

• issue with this search is that the AuthRs and AuthRt searches are too large without narrowing down..but cant narrow down until I identify the sessionID would be found amongst all the entries

I understand that subsearches are run first but not sure how to rewrite the search for the correct order . I have also heard

The issue is that the line 1 search may identify multiple entries and i'd need to link all the events of search 1 to entries of search 2 by passing multiple session IDs if necessary. Without being able to pass the session ID, line 3 search conducts too many searches and drops results.

Maybe I can do an initial search just for the session IDs and then

If i'm not clear, please let me know and I can try and explain further.