Hi, I need to match events across different logs. I believe that this should be done using transactions, but I'm not able to get it to work. My scenario is as follows:
If a user appears in one, it should have a companion entry in the other.
I need to find all users that logged to one, but not the other.
Individually, I can find users in each log by doing a simple:
search index=indexA userName
but I can't find a way of saying "once you find it in indexA, look for it in indexB, and alert me if you can't"
Any advice is greatly appreciate.
You probably want to use a sub search that pulls the user id and matches (or NOT) across the other file. To do this:
Search for all users that logged into System A and output only the userids. Similar to:
source=Log_A user_logged_in | fields userid
Use the latter search as the subsearch to find log ins for Log B. You must make sure the a field extraction exists for userid in Log B, otherwise the values passed from the subsearch won't match anything. Similar to:
source=Log_B [search source=Log_A user_logged_in | fields userid]
So, the above search should find all users that logged in to System A & B. To find users that have not logged into both, you should be able to NOT the sub search.
source=Log_B NOT [search source=Log_A user_logged_in | fields userid]