Hi All,
I stumbled into this difficulty when trying to create a child object that (I think ..) need sub search. I have a log from my mailserver as shown below .. each line is an event. I set the sourcetype=SMTP_logs. I manually extracted some fields such as sessionid, mail_from, mail_to, and status.
I successfully created an object in my data model named "SMTP" which has constraint string "sourcetype=SMTP_logs". OK, that part is easy.
And then I want to create a child object that only contains successful SMTP session. As from my logs example below, sessionid 001 and 003 are successful, but not so with sessionid 002. How to select only the events that has successful sessionid ? So only events from sessionid 001 and 003 are selected.
In a normal search, I could simply do a subsearch like [search sourcetype=SMTP status=successful | fields sessionid], it will returns all the successful sessionid. I learned this technique from my previous question in this community forum. But pipes "|" as in "| fields sessionid" is not allowed in the constraint strings when doing child object creation.
Any suggestion on how to achieve this ?
Sourcetype=SMTP_logs
00:05 [001] MAIL FROM : abc@domain1.com
00:05 [001] MAIL TO : xyz@domain2.com
00:06 [002] MAIL FROM : name@mydom.com
00:07 [001] SUBJECT : "Why dogs have 4 legs"
00:11 [002] Email from mydom.com is not allowed
00:11 [002] STATUS : terminated
00:11 [001] Receiving email data ..
00:12 [003] MAIL FROM : puppy@animal.com
00:13 [003] MAIL TO : klm@domain2.com
00:13 [003] SUBJECT : "A newborn puppy"
00:14 [001] Email data completed
00:14 [001] STATUS : successful
00:14 [003] Receiving email data ..
00:21 [003] Email data completed
00:21 [003] STATUS : successful
... View more