The below query also works but its grouping the email,transactionid,logintime filed together in ascending order w.r.t the session ID causing mismatch between email,transactionid,logintime. index = test "testrequest" | rex "(?:.+email\=)(?<Email>[a-zA-Z0-9_\-\@\.]+)" | rex "(?:.+trasactionId\=)(?<TransactionID>[a-zA-Z0-9-]+)" | rex "(?:.+TransactionTime\=)(?<LoginTime>[a-zA-Z0-9\s:]+EDT)" | rex "(?:.+Status\=)(?<Status>\w+)" | rex "(?:.+TimeTaken\=)(?<TimeTaken1>\d+)" | rex "(?:.+\+\+)(?<SessionID>[a-zA-Z0-9-_:@.]+)(?:\:Status)" | table Email,TransactionID,LoginTime,Status,TimeTaken,SessionID | append [search index = test "testresponse" | rex "(?:.+TransactionTime\=)(?<LogoutTime>[a-zA-Z0-9\s:]+EDT)" | rex "(?:.+SessionId\=)(?<SessionID>[a-zA-Z0-9-_:@.]+)(?:\:Status)" | table SessionID,LogoutTime] | stats values(*) as * by SessionID | table Email,TransactionID,LoginTime,TimeTaken,SessionID,LogoutTime,Status
... View more