Does Loki support union?

Hello,
My goal is to produce output like the following:

DESKTOP-1PNH21K | Grafana | 2025-02-16T06:03:34.1553431Z | C:\Users\Grafana\Desktop\Test | File | An object was deleted.

The basic information from IDs 4660 and 4663 is as follows:

{
  "source": "Microsoft-Windows-Security-Auditing",
  "channel": "Security",
  "computer": "DESKTOP-1PNH21K",
  "event_id": 4660,
  "task": 12800,
  "levelText": "Information",
  "taskText": "File System",
  "opCodeText": "Info",
  "keywords": "Audit Success",
  "timeCreated": "2025-02-16T06:03:33.9392827Z",
  "eventRecordID": 139393,
  "execution": {
    "processId": 4,
    "threadId": 312,
    "processName": "System"
  },
  "event_data": "<Data Name='SubjectUserSid'>S-1-5-21-2104788189-4142446361-3889847816-1001</Data><Data Name='SubjectUserName'>Grafana</Data><Data Name='SubjectDomainName'>DESKTOP-1PNH21K</Data><Data Name='SubjectLogonId'>0x36891</Data><Data Name='ObjectServer'>Security</Data><Data Name='HandleId'>0x2340</Data><Data Name='ProcessId'>0x1218</Data><Data Name='ProcessName'>C:\\Windows\\explorer.exe</Data><Data Name='TransactionId'>{00000000-0000-0000-0000-000000000000}</Data>",
  "message": "An object was deleted.\r\n\r\nSubject:\r\n\tSecurity ID:\t\tS-1-5-21-2104788189-4142446361-3889847816-1001\r\n\tAccount Name:\t\tGrafana\r\n\tAccount Domain:\t\tDESKTOP-1PNH21K\r\n\tLogon ID:\t\t0x36891\r\n\r\nObject:\r\n\tObject Server:\tSecurity\r\n\tHandle ID:\t0x2340\r\n\r\nProcess Information:\r\n\tProcess ID:\t0x1218\r\n\tProcess Name:\tC:\\Windows\\explorer.exe\r\n\tTransaction ID:\t{00000000-0000-0000-0000-000000000000}"
}


The event_data section:

Subject User SID: S-1-5-21-2104788189-4142446361-3889847816-1001

Subject User Name: Grafana

Subject Domain Name: DESKTOP-1PNH21K

Subject Logon ID: 0x36891

Object Server: Security

Handle ID: 0x2340

Process ID: 0x1218

Process Name: C:\Windows\explorer.exe

Transaction ID: {00000000-0000-0000-0000-000000000000}

And:

{
  "source": "Microsoft-Windows-Security-Auditing",
  "channel": "Security",
  "computer": "DESKTOP-1PNH21K",
  "event_id": 4663,
  "version": 1,
  "task": 12800,
  "levelText": "Information",
  "taskText": "File System",
  "opCodeText": "Info",
  "keywords": "Audit Success",
  "timeCreated": "2025-02-16T06:03:34.1553431Z",
  "eventRecordID": 139427,
  "execution": {
    "processId": 4,
    "threadId": 312,
    "processName": "System"
  },
  "event_data": "<Data Name='SubjectUserSid'>S-1-5-21-2104788189-4142446361-3889847816-1001</Data><Data Name='SubjectUserName'>Grafana</Data><Data Name='SubjectDomainName'>DESKTOP-1PNH21K</Data><Data Name='SubjectLogonId'>0x36891</Data><Data Name='ObjectServer'>Security</Data><Data Name='ObjectType'>File</Data><Data Name='ObjectName'>C:\\Users\\Grafana\\Desktop\\Test</Data><Data Name='HandleId'>0x2378</Data><Data Name='AccessList'>%%4423</Data><Data Name='AccessMask'>0x80</Data><Data Name='ProcessId'>0x1218</Data><Data Name='ProcessName'>C:\\Windows\\explorer.exe</Data><Data Name='ResourceAttributes'>S:AI</Data>",
  "message": "An attempt was made to access an object.\r\n\r\nSubject:\r\n\tSecurity ID:\t\tS-1-5-21-2104788189-4142446361-3889847816-1001\r\n\tAccount Name:\t\tGrafana\r\n\tAccount Domain:\t\tDESKTOP-1PNH21K\r\n\tLogon ID:\t\t0x36891\r\n\r\nObject:\r\n\tObject Server:\t\tSecurity\r\n\tObject Type:\t\tFile\r\n\tObject Name:\t\tC:\\Users\\Grafana\\Desktop\\Test\r\n\tHandle ID:\t\t0x2378\r\n\tResource Attributes:\tS:AI\r\n\r\nProcess Information:\r\n\tProcess ID:\t\t0x1218\r\n\tProcess Name:\t\tC:\\Windows\\explorer.exe\r\n\r\nAccess Request Information:\r\n\tAccesses:\t\tReadAttributes\r\n\t\t\t\t\r\n\tAccess Mask:\t\t0x80"
}


The event_data section:

Subject User SID: S-1-5-21-2104788189-4142446361-3889847816-1001

Subject User Name: Grafana

Subject Domain Name: DESKTOP-1PNH21K

Subject Logon ID: 0x36891

Object Server: Security

Object Type: File

Object Name: C:\Users\Grafana\Desktop\Test

Handle ID: 0x2378

Access List: %%4423

Access Mask: 0x80

Process ID: 0x1218

Process Name: C:\Windows\explorer.exe

Resource Attributes: S:AI

I have written the queries separately:

{job="windows-security"} 
| json 
| event_id = "4660" 
| line_format "{{.computer}} | {{.SubjectUserName}} | {{.timeCreated}} | {{.ObjectName}} | {{.ObjectType}} | {{.message}}"

{job="windows-security"} 
| json 
| event_id = "4663" 
| line_format "{{.computer}} | {{.SubjectUserName}} | {{.timeCreated}} | {{.ObjectName}} | {{.ObjectType}}"

How can I combine these two queries to produce the output I want?

Any ideas are welcome.

Thank you.

I wrote the following query:

{job="windows-security"} | json | event_id=4660 or event_id=4663 | line_format "{{ .computer }} | {{ .timeCreated }} | {{ regexReplaceAll `(?i).*<Data Name='SubjectUserName'>([^<]+)</Data>.*` .event_data `$1` }} |  {{ regexReplaceAll `(?i).*<Data Name='ObjectName'>([^<]+)</Data>.*` .event_data `$1` }} | {{ regexReplaceAll `(?i).*<Data Name='ObjectType'>([^<]+)</Data>.*` .event_data `$1` }}"

and output is:

DESKTOP-1PNH21K | 2025-02-16T11:46:24.6644245Z | Grafana
				</Data><Data Name='AccessMask'>0x80</Data><Data Name='ProcessId'>0x1218</Data><Data Name='ProcessName'>C:\Windows\explorer.exe</Data><Data Name='ResourceAttributes'>S:AI</Data> |  C:\Users\Grafana\Desktop\Test
				</Data><Data Name='AccessMask'>0x80</Data><Data Name='ProcessId'>0x1218</Data><Data Name='ProcessName'>C:\Windows\explorer.exe</Data><Data Name='ResourceAttributes'>S:AI</Data> | File
				</Data><Data Name='AccessMask'>0x80</Data><Data Name='ProcessId'>0x1218</Data><Data Name='ProcessName'>C:\Windows\explorer.exe</Data><Data Name='ResourceAttributes'>S:AI</Data>

How can I remove extra information like </Data><Data Name='AccessMask'>0x80</Data><Data Name='ProcessId'>0x1218</Data><Data Name='ProcessName'>C:\Windows\explorer.exe</Data><Data Name='ResourceAttributes'>S:AI</Data>?