I have two events:
Event 1:
transactionId=123 field_x=x_value
Event 2
transactionId=123 status=success
How can I correlate these two?
I want to create a timechart for “field_x” when “status=success”
So, basically, the search quey is:
transactionId field_x | timechart count by field_x
But I want to get all “field_x” only when status=success.
So, I guess this is equivalent to SQL IN() construct:
SELECT field_x from table where transactionId IN (SELECT transactionId from table where status=success);
I am trying to do a subsearch like:
source="source1" field_x=* transactionId [search source="source1" AND status=success | fields transactionId] | timechart count by field_x
Doesn't seem to be working.
... View more