I notice that the below query results in 0 events, whereas the baseSearch alone results in 11 events and the sub-search alone (outside of brackets) results in 5 events.
"baseSearch" |
[search "baseSearch"
| rex field=_raw "aRegex(?<status>.*)"
|rex field=_raw " aRegex(?<requestID>.*)"
|transaction startswith=eval(status="Started") endswith=eval(status="Completed")
|eval startTranTime=_time
|eval endTranTime=_time+duration
| table startTranTime endTranTime]
Further, when I pipe this subsearch to a where clause comparing this endTranTime to an existing field: where endTranTime > date_time , I get an error: Error in 'SearchParser': Subsearches are only valid as arguments to commands
Also, would I need to have the rex fields outside of the subsearch in order to use them later in the query?
Any suggestions would be really appreciated. Thanks.
... View more