Hi, I wonder whether someone may be able to help me please.
I have the following two queries:
index=main auditSource="agent-f" auditType=ServiceSentResponse detail.referrer="*deletion*" "detail.Location"="/agent/verification-list"
|rex field="tags.X-Session-ID" "session\-(?[\S]+)"
|stats count(SessionID) as "Number of Clients Deleted" by SessionID
index=main auditSource="agent-p" auditType=MetricGetClientListTotal
| rex field="tags.X-Session-ID" "session\-(?[\S]+)"
| stats count by SessionID detail.agent-code
What I'm trying to do is join them using the SessionID and then create a table at the end which displays the fields "detail.agent-code" and "Number of Clients Deleted".
I have used join queries before but never where regex events have had to be written i.e using 'explicit' rather than 'implicit' events.
I just wonder whether someone may be able to look at this please and offer some guidance on how I may be able to do this.
Many thanks and kind regards
Chris
↧