I am trying to use transaction command to correlate two event types. I need to correlate events based on value in "id" part of the following searches.
Search 1:- event=A somefield=jobtype-id
For Eg:- event=end somefield=job1-AAAAAAAAA�
Search 2:- event=B jobtype=id
For Eg:- event=start job1=AAAAAAAAA
Can contain multiple job_types in single event
Search 1 can contain 4 different types of "jobtype", like, job1, job2, job3 and job4. Search 1 will only contain one "jobtype" for any given event. Value of "id" is not extracted in any field.
Search 2 contains the above 4 types of jobs with corresponding "id". But, few Search 2 events can have multiple job_types. For Eg:- event=start job1=AAAAAAAAA job2=BBBBBBBB
I am using following transaction search,
(Search 1) OR (Search 2)
| rex somefield=(?>type>\w+\d)-(?>id>.*)�
| eval newfield=if(len(id)>0,id,if(len(job1)>0,job1,if(len(job2)>0,job2,if(len(job3)>0,job3,if(job4)>0,job4,""))))�
| transaction newfield keepevicted=true maxspan=1m�
| where eventcount < 2�
| table _raw type id
Above search works fine, but when Search 1 contains job3 as job_type and Search 2 contains job1 and job3. It does not correlates events. This is expected as in "eval" condition job1 is given preference.
I wanted to know if there is a way to reorder the "eval" condition based on job_type in Search 1, something like below (it does not works),
| eval a = if(len(id)>0,id,if(len(job1)>0,job1,if(len(job2)>0,job2,if(len(job3)>0,job3,if(job4)>0,job4,""))))
| eval b = if(len(id)>0,id,if(len(job2)>0,job2,if(len(job1)>0,job1,if(len(job3)>0,job3,if(job4)>0,job4,""))))
| eval c = if(len(id)>0,id,if(len(job3)>0,job3,if(len(job2)>0,job2,if(len(job1)>0,job1,if(job4)>0,job4,""))))�
| eval d = if(len(id)>0,id,if(len(job4)>0,job4,if(len(job2)>0,job2,if(len(job3)>0,job3,if(job1)>0,job1,""))))
| eval newfield=case(
type=job1, a,
type=job2, b,
type=job3, c,�
type=job4, d,
1 == 1, "NULL"
)
