I am trying to use transaction command to correlate two event types. I need to correlate events based on value in "id" part of the following searches. Search 1:- event=A somefield=job_type-id For Eg:- event=end somefield=job1-AAAAAAAAA Search 2:- event=B job_type=id For Eg:- event=start job1=AAAAAAAAA Can contain multiple job_types in single event Search 1 can contain 4 different types of "job_type", like, job1, job2, job3 and job4. Search 1 will only contain one "job_type" for any given event. Value of "id" is not extracted in any field. Search 2 contains the above 4 types of jobs with corresponding "id". But, few Search 2 events can have multiple job_types. For Eg:- event=start job1=AAAAAAAAA job2=BBBBBBBB I am using following transaction search, (Search 1) OR (Search 2) | rex somefield=(?>type>\w+\d)-(?>id>.*) | eval newfield=if(len(id)>0,id,if(len(job1)>0,job1,if(len(job2)>0,job2,if(len(job3)>0,job3,if(job4)>0,job4,"")))) | transaction newfield keepevicted=true maxspan=1m | where eventcount < 2 | table _raw type id Above search works fine, but when Search 1 contains job3 as job_type and Search 2 contains job1 and job3. It does not correlates events. This is expected as in "eval" condition job1 is given preference. I wanted to know if there is a way to reorder the "eval" condition based on job_type in Search 1, something like below (it does not works), | eval a = if(len(id)>0,id,if(len(job1)>0,job1,if(len(job2)>0,job2,if(len(job3)>0,job3,if(job4)>0,job4,"")))) | eval b = if(len(id)>0,id,if(len(job2)>0,job2,if(len(job1)>0,job1,if(len(job3)>0,job3,if(job4)>0,job4,"")))) | eval c = if(len(id)>0,id,if(len(job3)>0,job3,if(len(job2)>0,job2,if(len(job1)>0,job1,if(job4)>0,job4,"")))) | eval d = if(len(id)>0,id,if(len(job4)>0,job4,if(len(job2)>0,job2,if(len(job3)>0,job3,if(job1)>0,job1,"")))) | eval newfield=case( type=job1, a, type=job2, b, type=job3, c, type=job4, d, 1 == 1, "NULL" ) ... View more