Hello all,

I have two searches. One is for finding session info/durations and the other is for finding error info/durations. I want to combine the session IDs to my error info table based on whether the error occurred during that session.

So for instance, if I have something like this for my session data:

2021-06-14 14:45:12 UserId:123 Session 3 begin
2021-06-14 14:43:43 UserId:123 Session 2 end
2021-06-14 14:40:01 UserId:123 Session 2 begin
2021-06-14 14:33:10 UserId:123 Session 1 end
2021-06-14 14:25:44 UserId:123 Session 1 begin

And I have something like this for my error data:

2021-06-14 14:30:12 UserId:123 Error finish
2021-06-14 14:28:43 UserId:123 Error start

I would want to include session ID 1 to my error info table because an error happened during that session. I currently have a search like this, but it is not working how I want it to. How might I be able to rewrite this to show what I want? Also, if I wanted to just find the next session transaction after the end of an error, how can I do that?

index=INDEX host=HOSTNAME sourcetype=SOURCETYPE
| rex field=_raw "UserId:(?<user_id>\d+)"
| transaction user_id startswith="start" endswith="finish"
| where user_id<2000
| eval start=_time
| eval finish=_time+duration
| eval error_duration=tostring(duration, "duration")
| eval error_start=strftime(start, "%Y-%m-%d %H:%M:%S")
| eval error_end=strftime(finish, "%Y-%m-%d %H:%M:%S")
| join user_id [search index=INDEX host=HOSTNAME sourcetype=SOURCETYPE_TWO
| rex field=_raw "UserId:(?<user_id>\d+)\sSession\s(?<session_id>\d+)"
| sort 0 user_id session_id -_time
| transaction user_id session_id maxpause=5m endswith="end"
| eval begin=_time
| eval end=_time+duration
| where user_id<2000
| eval duration=tostring(duration, "duration")
| table user_id, begin, end, duration, session_id]
| where start>=begin and finish<=end
| table user_id, session_id, error_start, error_end, error_duration