Hello there !
This is my first post here 🙂
I've already read a lot of query/answer, try a lot of things, but .... i'm still not getting something good 😞 😞
I'd need to mix 3 differents queries in order to get my final result.
I would like to be able to run only ONE query instead of doing step by step the 3 of them.
A. the first query : get the all transactionId
Extract all fields called "transactionId" for one source where the word 'ERROR' is seen
* "] ERROR" source=*exp* | table transactionId | dedup transactionId
For example, this will return 2 lines :
dd2ff560-7bcd-11e8-8ac7-005056ac4954
db846840-7bcd-11e8-8ac7-005056ac4954
B. based on the transactionId found in query A, found the correlationId :
* source=*mb05* HTTPHeaderHandler.InboundHeaders ( transactionId from query A ) | rename message_id as correlationId | table correlationId
My query in a step by step mode looks like
* source=*mb05* HTTPHeaderHandler.InboundHeaders (dd2ff560-7bcd-11e8-8ac7-005056ac4954 OR db846840-7bcd-11e8-8ac7-005056ac4954) | rename message_id as correlationId | table correlationId
The result is 2 lines also :
zz31ca20-7bcd-11e8-8ac7-005056ac4954
zz863d00-7bcd-11e8-8ac7-005056ac4954
_C. with the correlationId found on B get all the lines with Exception _ :
* source=*mb05* ExceptionHandler.HandledException ( correlationID from query B) | fields _raw
In my step by step mode :
* source=*mb05* ExceptionHandler.HandledException ( zz31ca20-7bcd-11e8-8ac7-005056ac4954 OR zz863d00-7bcd-11e8-8ac7-005056ac4954 ) | fields _raw
That gives me the log that I'm looking for.
A bit annoying to do it step by step.
So I'd like to get something like :
* source=*mb05* ExceptionHandler.HandledException [ search source=*mb05* HTTPHeaderHandler.InboundHeaders [ search * "] ERROR" source=*exp* | table transactionId | dedup transactionId ] | rename message_id as correlationId | table correlationId ] | fields _raw
If anybody has some clue to help me I will be more than happy ! 😄
Thanks in advance for your help!
... View more