Hi,
So i'm having this rule...
index=logs sourcetype=console_test_1 "[Status] Discovered"
| rex "<regex rule>" | table orderId
...that outputs me a column with IDs. What i want to do is something like getting these IDs and using them in another search, which results i want to append to the one above. The second result is from another source type.
So, something like this:
index=logs sourcetype=console_test_1 "[Status] Discovered"
| rex "<regex rule>" | table orderId -> sourcetype=console_test_2 <orderId> | rex "<regex rule2>" | table result2 -> join column
I've search the net but haven't figured it out yet.
Thank you
... View more