Hello, my data look like this:
{
correlationId: "1",
field1: "something **flagged**",
field2: "alkjsd"
},
{
correlationId:"1",
info:"<id>A</id>"
},
{
correlationId: "2",
field1: "Hello world",
field2: "nothing to see"
},
{
correlationId:"2",
info:"<id>B</id>"
},
{
correlationId: "3",
field1: "abc123",
field2: "**flagged** things"
},
{
correlationId:"3",
info:"<id>C</id>"
}
I want to find all of the entries containing **flagged** values and output a list of ids that have the same correlationId as a **flagged** entry. In this case the output would be something like
A
C
I can output a list of all ids like this:
index=myindex | rex field=info "<id>(?<idvalue>[^\<]+)" | stats values(idvalue)
I can find the correlationId of **flagged** messages like this:
index=myindex "**flagged**" | stats values(correlationId)
How do I combine these into a single search that will give me only the ids that match the **flagged** correlationIds?
... View more