Hello,
I have this subsearch command:
[search source="local/data/user/logs/access*" status =5* | table request_id]
It gets the request_id's from the table and searches for them globally. I have a service file in which the request_id field is not extracted by default and gets excluded from search results. How can I make sure that the subsearch includes the results from the service file?
Here is my command to extract the request_id field from the service file
source="/home/user/logs/service*" | rex "Request\sID:\s(?<request_id>\w+)"
Thanks
Hi @mihirpradhan,
you should stably extract the field using your regex in the field extractor (not using the rex command), in this way you'll have in props.conf
EXTRACT-Full-Before-After-Size-Time = Request\sID:\s(?<request_id>\w+)
then extend your subsearch to the other source, something like this:
your_main_search [search index=yur_index (source="local/data/user/logs/access*" status =5*) OR source="/home/user/logs/service*"| table request_id]
| ...
I hint to use always the index filter in your searches because they are faster.
Ciao.
Giuseppe
Hi @mihirpradhan,
you should stably extract the field using your regex in the field extractor (not using the rex command), in this way you'll have in props.conf
EXTRACT-Full-Before-After-Size-Time = Request\sID:\s(?<request_id>\w+)
then extend your subsearch to the other source, something like this:
your_main_search [search index=yur_index (source="local/data/user/logs/access*" status =5*) OR source="/home/user/logs/service*"| table request_id]
| ...
I hint to use always the index filter in your searches because they are faster.
Ciao.
Giuseppe
Thank you. That worked beautifully!