I've been struggling with this one for about a week now.
I would like to create a search on a dashboard that shows all events related to a known variable (REF-ID_xxxxxx) and an otherwise undefined variable we will call (CON-ID). The catch is that the CON-ID number is sometimes referenced as CON-ID=, or CO=, or IDCoN, and a handful of others. The trailing number for that second variable is unique, even though the variable name isn't. So it comes down to you doing a manual search like this.
REF-ID_234d23dd23f
Which gives 30 some odd results. You then have to by eye look for something like 'CON-ID=Ct774235fffrf4345gf' in the first few records. Take all the alpha numeric characters behind the '=', in this case 'Ct774235fffrf4345gf'. Then do a second search like this.
REF-ID_234d23dd23f OR Ct774235fffrf4345gf
That gives you all 150+ events to give you a full view of related logs to investigate.
I've tried something like this below, but am not having much luck. Tried regex extraction, sub searches. I just am not sure what the best way is to proceed. Or even if I'm doing them correctly.
The manual fancy version I attempted... and failed at...
REF-ID_234d23dd23f OR [search REF-ID_234d23dd23f | rex field=_raw "CON-ID=(?<ConID>[a-zA-Z0-9].+)" | eval foundConID=ConID]
This is an example, based on above, of the dashboard version that uses an input variable, eventually what I want this to be something like.
$REF-ID$ OR [search $REF-ID$ | rex field=_raw "CON-ID=(?<ConID>[a-zA-Z0-9].+)" | eval foundConID=ConID]
None of these seem to give me the results I'm looking for past the first search. But if all works out, I will have a dashboard, where a guy puts a REF-ID number in, and gets back all kinds of correlated data. Showing an entire incident or series of events from start to finish, as it jumps across multiple systems and log sources.
Any suggestions on how to make this search work? I'm at a loss.
... View more
