I have setup a field extraction that parses OC4J Apache logs of the following format and extracts the ecid:
index="app" host="somehost*" sourcetype="access_log-too_small" AND req_status=500 AND req_srvc_time>1
which returns:
10.1.2.3 - - [24/Jul/2013:09:36:44 -0700] [ecid: 1374676196:192.168.1.2:3229:0:12737,0] "GET /app-context/some.action HTTP/1.1" 500 659 [7201 (secs)]
The extracted ecid's would then be:
1374676196:192.168.1.2:3229:0:12737
I want to pass the ecids (there would be more than one) to another search that looks across all logs (application logs, frontend host logs, etc) and returns all entries it finds. I do this manually by performing the following search:
index="app" "1374676196:192.168.1.2:3229:0:12737*"
to get:
2013-07-24 07:29:58,584 INFO UserTimingInterceptor.logBeforeMessage - Start action [//some!doSomething()?id=XyZ1312&sn=123456] by [user1] ECID [1374676196:192.168.1.2:3229:0:12737,2]
2013-07-24 07:29:58,584 INFO UserTimingInterceptor.logBeforeMessage - Start action [//some!doSomething()?id=XbZ1312&sn=123456] by [user1] ECID [1374676196:192.168.1.2:3229:0:12737,2]
[Wed Jul 24 09:29:58 2013] [error] [client 10.1.2.3] [ecid: 1374676196:192.168.1.2:3229:0:12737,0] mod_oc4j: request to OC4J locosprod0005:12501 failed: recv failed (errno=4)
10.1.2.3 - - [24/Jul/2013:09:29:58 -0700] [ecid: 1374676196:192.168.1.2:3229:0:12737,0] "GET /app-context/some.action?id=PTHG141277&sn=655164 HTTP/1.1" 500 659 [7202 (secs)]
The example I gave above uses one (1) ECID. The query would ideally be to lookup all ECIDs returned by the first query and return corresponding entries from other logs.Is there a way to combine these two queries? Thanks in advance!
... View more