Hi All
Can anyone explain where my search is wrong?
sourcetype="access_log" [search sourcetype="GAMESAPI*" SID | rex field=_raw "\[SID\]\s=>\s(?<SID>[0-9]*)" | top SID limit=1 | table SID] | rex field=_raw "(?i)^(?P<IP>[^ ]*)(?= )"
I am trying to extract the most common SID within a GAMESAPI log and use that value to search the access_log for the corrosponding IP addresses.
The following search returns the top SID:
sourcetype="GAMESAPI*" SID | rex field=_raw "\[SID\]\s=>\s(?<SID>[0-9]*)" | top SID limit=1 | table SID
And this search will return the IP address from the access_log:
sourcetype="access_log" | rex field=_raw "(?i)^(?P<IP>[^ ]*)(?= )"
Seperately, the two searches work, as a subsearch, they fail. Any ideas?
... View more