I have two different searches:
1. index=xoom_app_online_checkout_orchestration_api user_id residence_country=US request_cobrand=null
2. index!=xoom_app_online_checkout_orchestration_api user_id tracing_user_id tracing_user_type="ABC"
From the first search, I want to retrieve user_id
From the second search, I want to retrieve tracing_user_id
I only want a response if user_id=tracing_user_id
I was using this query, but it was ignoring values from search (1):
( index="xoom_app_online_checkout_orchestration_api" user_id residence_country=US request_cobrand=null ) OR (index!=xoom_app_online_checkout_orchestration_api tracing_user_id tracing_user_type="ABC" )
| eval joiner=if(index="xoom_app_online_checkout_orchestration_api", user_id, tracing_user_id)| stats values(*) as * by joiner | WHERE user_id=tracing_user_id
Something like
( index="xoom_app_online_checkout_orchestration_api" user_id residence_country=US request_cobrand=null ) OR (index!=xoom_app_online_checkout_orchestration_api tracing_user_id tracing_user_type="ABC" )
| eval common_id = coalesce(user_id, tracing_user_id)
| eventstats values(index) as indices by common_id
| where indices == "xoom_app_online_checkout_orchestration_api" AND mvcount(indices) > 1