First, if you have any influence at all on the developers, persuade, plea with, beg them to make logs complete. Second, because you are confident that groupid is always included in the login event, I would recommend mending partial JSON to conformant objects, like thus | rex mode=sed "s/(\"groupid\": *\"[^\"]+\"),.*/\1}}/"
```| eval valid = if(json_valid(_raw), "yes", "no")```
| spath Your sample input now becomes context message.agent message.cssurl message.groupid message.loginid message.ownerid message.state message.userid message.username sequence type Rsomeserver:8877-T1670321752-P18407-T030-C000025-S38 true ["/css/somepage.css","/branding/"] Group0000000945 somelogin101 system ok User0000000949 John Smith 998 login This would be much easier to handle. To achieve your combined search, your want to retrieve all events in both searches, then perform stats on them, like thus index=myindex (("events") OR ("events2")) OR ("\"login\"\,\"context\"") AND ("username")
| rex mode=sed "s/(\"groupid\": *\"[^\"]+\"),.*/\1}}/" ``` you can design another rex to make "events or events2" conformant ```
| spath
| rename message.* AS *
| rex "\"context\"\s*:\"(?<context>.[^\"]+)" | rex "\"type\"\s*:\"(?<type>.[^\"]+)\"" ``` unnecessary if "events or events2" are already mended ```
| stats dc(type) count by username userid groupid context
| where 'dc(type)' > 1
... View more