TLDR: How do I make the empty cells in the table below show the same data as the non-empty cells when the value shown in the first column is the same.
I am ingesting audit logs from my enterprise CAS stack witch handles single sign on for hundreds of services. Each type of action (authentication, granting ticket created, service ticket created, service ticket validattion success/failure, etc) has different fields with one or two common fields being shared. I want to be able to query accross these action types using common fields. The data table aggregation below probably explains this a lot better than I could in words:
As you can see from the aggregation above, there are some services trying to use the same service ticket more than once. When this happens, CAS will fail the validation attempt because service tickets are single use. If I see a spike in service ticket validation failures like the aggregation below shows, I want to be able to filter to that action and see the services and users belonging to each service ticket that failed validation via the table aggregation above. But since service and user are only logged in the service ticket created action, I loose that information when I filter to service ticket validate failed or success and only see the service ticket itself.