Hi all,
Currently I have the following string to make a table with some values which belong to different events but they have a field in common:
index="*MYindex*" AND container_name="Mycontainer_name" AND (message="*search1*" OR message="*search2*" OR message="*search3*") AND NOT message="*search4*"
| rex field=_raw "xyz(?<search1>[0-9a-zA-ZÀ-ÿ\,\s"/"]+),*"
| rex field=_raw "xyz(?<trace>[a-z0-9]+)*"
| rex field=message "xyz(?<search3>[0-9a-zA-Z\s]+),*"
| rex field=_raw "xyz(?<search2>[A-Za-z0-9]+)*"
| stats values(search2) as SEARCH2 values(search3) as SEARCH3 values(search1) as SEARCH1 by trace
This generates the following table grouping the events with the same trace. I expect to have empty cells depending of the SEARCH2 and SEARCH3, so it's fine.
trace | SEARCH2 | SEARCH3 | SEARCH1 |
0022f6381a597f0e | EXOL | 200 OK | |
004d6a8d0b2c3e7c | EXRS | | |
0052ad6e42b4b9ad | EXOL | 200 OK | |
008643fdaca08cd5 | EXOL | 200 OK | |
008f58384f6d582f | EXOL | 400 BAD | FORMAT ERROR |
What I'm looking for is to filter these results based on an additional search, which is a different event but it has the same trace:
index="*MYindex*" AND container_name="Mycontainer_name" AND (message="*search1*" OR message="*search2*" OR message="*search3*" OR message="*search5*" ) AND NOT message="*search4*"
| rex field=_raw "xyz(?<search1>[0-9a-zA-ZÀ-ÿ\,\s"/"]+),*"
| rex field=_raw "xyz(?<trace>[a-z0-9]+)*"
| rex field=message "xyz(?<search3>[0-9a-zA-Z\s]+),*"
| rex field=_raw "xyz(?<search2>[A-Za-z0-9]+)*"
| rex field=_raw "xyz(?<search5>[a-zA-Z]+),*"
| where search5="true"
| stats values(search2) as SEARCH2 values(search3) as SEARCH3 values(search1) as SEARCH1 by trace
search5 can only be "true" or "false" but the table applying the filter is empty, only showing the trace field:
trace | SEARCH2 | SEARCH3 | SEARCH1 |
0022f6381a597f0e | | | |
How I can filter the events applying the condition?
Thanks for you time.
