I actually just used rex to pull from the other fields. Here is my final solution: (index=k8s_main container_name=fraud-single-proxy-listener message="Successfully handled AuthorizationSucceeded event*") OR (index=app_pci source=http:nepp host=nepp-service-v3-prod message.message="Attempt to produce Kafka event finished: AuthorizationSucceeded*") | rex field=_raw "\"orderId\":\"(?<nefi>.*?)\"" | rex field=message.message "\"orderNumber\":\"(?<nepp>.*?)\"," | eval orderId = if(index="app_pci", nepp, nefi) | stats dc(index) AS indexCount values(_time) AS eventTime values(index) AS index BY orderId | eval timeElapsed = now() - eventTime | where indexCount = 1 AND index = "app_pci" AND (timeElapsed > (30*6000)) | fields orderId Thanks for your help!
... View more
