I would like to use join function (from what I understand from SumoLogic documentation should be the best) thus at the same time run search containing 2 different queries. The second query should rely on the same value from field (TraceNumber) found by query 1 so based on the trace_number query 1, 2nd search can be performed and correlated to find username information. Any idea how to do it in the most appropriate way?
Query 1
_sourceCategory = "produdction1"
|json _fields=_raw "user" as http_m
|json _fields=_raw "uri" as uri
|json _fields=_raw "client_ip" as src_ip
|json _fields=_raw "trace" as trace_number
| values(http_m) as http_m, values(uri) as uri, values(trace_number) as trace_number by src_ip
Query 2
_sourceCategory = "produdction2"
|json _fields=_raw "user" as user
|json _fields=_raw "trace" as trace_number
|json _fields=_raw "true_ip" as src_ip
| values(user) as user, values(trace_number) as trace_number by src_ip
I tried to follow-up on vendor documentations but still struggling to build my own query.
