I have an authentication service.
This service uses EventID 10 which contains the name of the TargetApplication they are authenticating with, as well as a unique ID for the user's session.
The ID can then be correlated with EventID 11 (one Event10 to many Event11 relationship), which provides other details about the user. There are N instances of this event all containing data that needs to be correlated, and they all contain the ID for correlation. EventID 11 does not contain "target application", which has rendered me unable to use any simple methods of correlation.
If I use join, it will only join one of the EventID 11 entries; I need N entries.
If I use transaction, it fails because the EventID 11s do not contain the TargetApplication with which I am performing the initial search to retrieve a list of IDs. Transaction WILL work if I use an ID rather than a TargetApplication, but this is useless as I need more than one result per search.
If I use append/selfjoin, the TargetApplication search will be rendered useless, as when it is performing the append search for Event 11s, it will simply return all the results for every application because EventID 11 does not contain a TargetApplication.
So my question follows.
How do I use the output of a search
// returns list of EventID 10 with ID
TargetApplication=myApp
to power a new search
// returns a list of EventID 11 for the given ID, containing extra data for correlation.
foreach (resultingID in searchResults) {
search [ ID=resultingID EventID=11 ]
}
so I can correlate my data?
... View more