Hi,

I have 2 sourcetypes: wineventlog:security and WinEventLog:Microsoft-Windows-Sysmon/Operational. I have extracted a field from each of them:

[WinEventLog:Microsoft-Windows-Sysmon/Operational]
Extract-LogonIDSysmon = (LogonId:)(\s)*(\t)*(?P<LogonIDSysmon>(0x)?[0-9a-f]+)

[WinEventLog:Security]
EXTRACT-LogonID = (\s)*(\t)*(Logon ID:)(\s)*(\t)*(?P<LogonID>(0x)?[0-9a-f]+)

I need to search the events that match those values grouped together. I tried to use the transaction command and thought this could be done by creating an alias for those fields:

[WinEventLog:Microsoft-Windows-Sysmon/Operational]
FIELDALIAS-LogonIdMulti = LogonIDSysmon AS LogonIdMulti

[WinEventLog:Security]
FIELDALIAS-LogonIdMulti = LogonID AS LogonIdMulti

When I run the search:

index=* (sourcetype="wineventlog:security" OR sourcetype="WinEventLog:Microsoft-Windows-Sysmon/Operational")  host="progressive.lightech.ar" | transaction LogonIdMulti | sort -_time

Only events from sourcetype=WinEventLog:Microsoft-Windows-Sysmon/Operational appears.

When I run the search:

index=* sourcetype="WinEventLog:Microsoft-Windows-Sysmon/Operational"  host="progressive.lightech.ar" | transaction LogonIdMulti | sort -_time

I have results and I see the field LogonIdMulti on the left as the other fields.

But when I run the search:

index=* sourcetype="wineventlog:security"  host="progressive.lightech.ar" | transaction LogonIdMulti | sort -_time

I have no results and the field LogonIdMulti doesn't appear.

But when I run:

index=* sourcetype="wineventlog:security"  host="progressive.lightech.ar" | transaction LogonID | sort -_time

I have results. Although the field LogonIdMulti is not listed on the left.

Which is the correct way to achieve my purpose of having all the events that match those fields together as a transaction?

Thank you very much.