As I said, it was a deduction. From your description, "request id:* completed" is only found in log2, "Received from client * for user * and request id: *" is only found in log1. Assuming log1, log2 are in source field, the search term (index=index1 "Received from client * for user * and request id: *" OR "request id:* completed") makes sure that if an event has source=="log2", it must contain "request id:* completed". Computation of "request id" or, in my code sample, "id", is computed via stats groupby. But the stats command in the previous post was incorrect. Group by id and group by user cannot be in a single stats. The correct command should be (index=index1 "Received from client * for user * and request id: *" OR "request id:* completed") OR
(index=index2 "User * has total sent items count : *")
| rex "request id:\s*(?<id>\w+)"
| rex "from client (?<client>\S+)"
| rex "[uU]ser (?<user>\S+)"
| rex "items count : (?<itemCount>\d+)"
| eventstats values(source) as source values(user) as user by id ``` operates on index=index1 source IN (log1, log2) ```
| where source == "log2" ``` only users who have at least one id that is in log2 will remain in index1 ```
| stats sum(itemCount) as "Items count" values(index) as index by user
| where isnotnull('Items count') AND index == "index1" ``` only users who have a remaining entry in index1, i.e., who have at least one id that is in log2, i.e., who have at least one "completed" record, AND who also have at least one 'Items count' ``` Similar to the deduction about log2, index == "index1" deduces that the user has at least one request id that is in log2, therefore must has at least one "completed" request id.
... View more