Example:
source="FILE1.log" search_input | rex ".*]*Rpc id :(?[0-9][0-9][0-9][0-9][0-9][0-9])" | append [search source ="FILE2.log" rpc_id]
Hi @vivek991985
You can't pass a value from a main search to a sub search, it works the other way round.
That being said and from what I can understand try something like this -
source ="FILE2.log" | eval id=[search source="FILE1.log" search_input | rex ".*]*Rpc id :(?[0-9][0-9][0-9][0-9][0-9][0-9])" |return $rpc_id]
Basically, the eval gets executed first and whatever rex you are performing (assuming the rex works) gets assigned o the field id, you can then pipe on and do what you need with file2log source
Hi @vivek991985
You can't pass a value from a main search to a sub search, it works the other way round.
That being said and from what I can understand try something like this -
source ="FILE2.log" | eval id=[search source="FILE1.log" search_input | rex ".*]*Rpc id :(?[0-9][0-9][0-9][0-9][0-9][0-9])" |return $rpc_id]
Basically, the eval gets executed first and whatever rex you are performing (assuming the rex works) gets assigned o the field id, you can then pipe on and do what you need with file2log source
Thank you @Sukisen1981