I'm trying to establish a transaction. The information is in two different indexes, different sourcetypes, etc. Basically what I've got in index 1 is a bunch of XML-formatted Windows event log data...I'm able to successfully do the necessary search, run an spath on it to extract the field/value I need (a domain\username), etc. The other index contains pretty basic log data, including a field named "SlotID" that contains data formatted as domain\username. I'm also able to run a search successfully to grab that data. This is what the beginning of my search looks like:

host= (index=main sourcetype= Message=) OR (index=wineventlog EventID=800) | spath output=user path=Event.UserData.EventXML.param1 | eval lcuser=lower(user)

At that point if I go look at my search results I have all the data I need to get the transaction duration (which starts with the EventID=800 and ends with the log message). My problem is the common value resides in two differently-named fields (lcuser and SlotID). I have tried rename...but end up with only one event type "winning" (whichever one I rename last) and containing the new/renamed field). Same deal with eval to a new field...the last eval wins and the first eval no longer contains that field.

I'm lost and really hoping someone can lend a hand...been beating my head against the wall on this for the better part of 4 hours.

TIA!