Building on what @ITWhisperer says about join, the logic for avoiding join is to use stats, so you want to do something like this index=idx1 ... (identifiers here)
| rex "EventId: (?<event_id_1>\d+...
See more...
Building on what @ITWhisperer says about join, the logic for avoiding join is to use stats, so you want to do something like this index=idx1 ... (identifiers here)
| rex "EventId: (?<event_id_1>\d+)"
| rex "\"EventId\",\"value\":\"(?<event_id_2>\d+)"
| eval event_id=coalesce(event_id_1, event_id_2)
| stats values(*) as * count by event_id
| where count=1 so your two rex statements capture to their own fields and then you find the common field event_id with coalesce, then the stats count will count them. Depending on what your data looks like and how many events you would actually get, the stats statement can be adjusted to get the correct count of your 2 distinct message types. The values(*) as * carries all of the other fields you want to preserve through the stats, so use a fields statement before stats to restrict what you want out.