Hi,
I started to work on this request again and keeping in mind @somesoni2 's remark about identifiers, I have been able to work this around.
So the request's principle is the following (dirty):
Make a subsearch to get all A events and their ID
Make a subsearch to get all D events and their ID
Sort results by _time descending order
Get transactions by ID starting with A and ending with D
????
Profit!
The request is looking something like this:
| append [
search index etc.
(A event or ID event for A)
| rex get ID in a named field
| transaction startswith="A event" endswith="ID for A event" mvlist=t
| eval ID=mvindex(ID, 1), event=A
]
| append [
search index etc.
(D event or ID event for D)
| rex get ID in a named field
| transaction startswith="D event" endswith="ID of D event" mvlist=t
| eval ID=mvindex(ID, 1), event=D
]
| sort - _time
| transaction ID startswith=eval(event==A) endswith=eval(event==D)
... View more