Hello all, I've tried to search here and through search engines with no luck.  I can't seem to get the knack for referencing which event's information I want to pick from. I'm trying to join together information from two different events, in the same sourcetype, but picking the relevant information from each of the two raw events into a singular more meaningful event. An example: Event 1:   45 1 191 2020-07-20 20:55:26.540 1 873 23 NULL NULL cn13mhy SSS_ABC123_DB NULL NULL ; ; ; ; , 8.8.8.8, network password sybase encryption; ; cn13mhy/ase;   Event 2:   1 0 191 2020-07-20 20:55:26.543 1 873 NULL NULL NULL cn13mhy sybsystemprocs NULL NULL CLIENTAPPINFO;app_name=PPP host_pid=17544 NULL   The first numeric is the event number.  45 is the Sybase ASE login event.  1 is an application/vendor generated event lower into the application.  Each event, 45 and 1, has useful information.  Event=45, which will always generate with the older timestamp, has IP information within the extrainfo field.  Event=1 has the application name and the host PID in the extrainfo field. I'm looking to merge those two events, with slightly dissimilar timestamps, into a single event where I can display 45's timestamp, 45's database name (SSS_ABC123_DB),  the userid (ch13mhy in both), 1's app_name,  and 1's host_pid ... View more