I have an index="summary" where it captures both success connections and error connections.
I need to get the connection ID for those Error connections and with the output of this search (connection ID) need to subsearch in the same index to get the source IP.
CONNID value is the list. For each CONNID need to pass to the subsearch.
I used this query:
index=summary sourcetype=ldap_log eventtype=nix_errors | fields CONNID | rename CONNID As cid | map search="search index=summary sourcetype=ldap_log ID=$con_id$ src_ip"
It returns null value, but when i executed separately it works.
... View more