Thanks for your response again and sorry for the confusion. My sanitising of logs obviously hasn't helped. The UPN and shortname are the two options for values in the User_Name field. The infrastructure writes both versions (to pass on both credential options). Other than that the two log entries are identical. I need to create a report for someone analysing the data and they need it to include only the UPN format value and ignore the shortname. The problem being that they are values in the same field in virtually identical log entries. And I should have mentioned that the groupname is pulled out via field extraction from the list of AD groups so is a field in itself. So from the log entries: I need to take the time, session_id and User_Name from the following log entry. Feb 18 08:00:33 #src_ip# hostname="hostname",errdefs_msgno="989898989: 5:",partition_name="ptnname",session_id="00000000",Access_Profile="profile_name",Partition="partition_name",Session_Id="00000000",User_Name="user@domain" I can ignore this entry. It was included just to show the fact that the two log entries are identical except for the field value for User_Name Feb 18 08:00:33 #src_ip# hostname="hostname",errdefs_msgno="989898989: 5:",partition_name="ptnname",session_id="00000000",Access_Profile="profile_name",Partition="partition_name",Session_Id="00000000",User_Name="shortname" I need to correlate the session_id from log entry one and use that to correlate the group_name from this log entry (It is a field extraction so literally group_name=#returned_value#) Feb 18 08:00:33 #src_ip# hostname="hostname",errdefs_msgno="01490113: 5:",partition_name="partition_name",session_id="00000000",Access_Profile="profile_name",Partition="partition_name",Session_Id="00000000",Session_Variable_Name="session.ad.last.attr.memberOf",Session_Variable_Value="| | CN=groupname,OU=OU3,OU=OU2,OU=OU1,DC=domain,DC=com,DC=au |" Which hopefully will end up with a table that has time, session_id, groupname and USer_Name (in UPN format only)
... View more