Hi all,
I'm having an issue combining two searches into one search.
I have a sourcetype that logs information about an event over several rows with a unique ID linking them all together. So what I do is I have a search that finds all unique ID that match my criteria. I then manually copy paste those into another seach that uses transaction to group all the events with the same ID.
Example first search could be:
sourcetype=email subject="Invoice Number"
| stats count by ID
| fields ID
| mvcombine delim "," ID
| nomv ID
The result is a list of numbers like 111,222,333,444. So here I know there are 4 emails with that subject but in order to view the whole event I need to do a transaction.
The next search I do (in another tab) is the following:
sourcetype=email ID IN (111,222,333,444)
| transaction ID maxpan 5m
| stats count by subject,sender,recipient
Is there a way I can combine both of these searches into one search?
Thanks for any help that can be offered!
... View more