Unfortunately it didn't work.
log2 always has userid .
Even
log2
| search [ search log1 | rex field=_raw "tid=,\"tid\":\"(?<tid1>.*)\";" | rename tid1 as query]
did not return any results.
When I search log2 and log1 | rex field=_raw "tid=,\"tid\":\"(?<tid1>.*)\";" | fields tid1 individually, they return results, so those portions are correct.
... View more