I am running a query like this index=main source=transferstatus sourcetype=logs transaction.transferSet.FileName="*myfile*" | stats dc(transaction.Id) by transaction.Id this gives me the unique transaction Ids that i am looking for Now i want to pass this unique transaction Ids to a query like below index=main source=transferstatus sourcetype=logs transaction.action="success" transaction.Id=[ pass each unique value i got from first query to here] transaction.action="success" will not present on the first query results.. it will be part of success events that wont have "transaction.transferSet.FileName" field in it. how do I join these two queries?
... View more