Sumologic "full outer join" on transaction id

Question

Is there some way to get full outer join functionality with sumologic? The JOIN operator seems to give inner join

I have a logstream with stageA and stageB and I want to identify where there is a logline for stageA but not stageB for a shared identifier

{ id: '12324', stage: 'a' }
{ id: '12324', stage: 'b' }
{ id: '3467', stage: 'a' }

I would want results to only have id: '3467' since the other id has both stages.

Answer 1

Here is the query that I ended up with

1. parse id
2. transactionize on id
3. merge loglines on id within transaction
4. filter for transactions where stage b doesnt exist

5. exclude most recent loglines since transaction may span the query window

   ("id")
   | parse "id: *," as id 
   | transactionize id (merge id, _raw join with "\n\n") 
   | where !(_raw matches "*stage: \'b\'*") and _messageTime < now() - 1000*60*4