Thanks somesoni2 for replying. Can you please anything further on this to obtain the results
I have tried executing this command, I was quite unsuccessful as there no events getting written
index=orsapps [ search index=esbapps | search E2E_busProcID="D1 7SH" | table ReqID | rename ReqID as RequestersID ] | rex "RequestersID>(?[^<]*)" | table RequestersID _time index
But when I type individual queries I am able to see the table -
index=orsapps
| rex "RequestersID>(?[^<]*)"
| table RequestersID _time index
Result -
RequestersID _time index
0610479853358211 2017-03-27 11:28:00 orsapps
0610479853358211 2017-03-27 11:28:00 orsapps
0610479853358211 2017-03-27 11:28:00 orsapps
0610479853358211 2017-03-27 11:28:00 orsapps
0610467479012357 2017-03-27 11:27:48 orsapps
0610467479012357 2017-03-27 11:27:48 orsapps
0610467479012357 2017-03-27 11:27:48 orsapps
0610467479012357 2017-03-27 11:27:48 orsapps
Individual subquery result -
search index=esbapps | search E2E_busProcID="D1 7SH" | table ReqID | rename ReqID as RequestersID
RequestersID _time index
0610479853358211 2017-03-27 11:29:06 esbapps
2017-03-27 11:29:06 esbapps
2017-03-27 11:29:06 esbapps
0610479853358211 2017-03-27 11:29:05 esbapps
0610467479012357 2017-03-27 11:28:55 esbapps
2017-03-27 11:28:54 esbapps
2017-03-27 11:28:54 esbapps
0610467479012357 2017-03-27 11:28:53 esbapps
Output of the first query is to be servered as the input to the first query. Can you please help me in getting all in a same table as in the final result. Final table format -
RequestersID _time index
xxxxx xxxxx esbapps
xxxxx xxxxx orsapps
... View more