sivathemass

Topics I've Started

Subject

Karma

Author

Unable to query on multiple extracted fields

I've a log like below and I want to extract the fields "country", "currency" "{"id":1, "message":"country=US&currency=USD"}. I wrote SPL index="main"| rex max_match=0 field=message "(?<key>\w+)=(?<value>[^&]+)" | eval z=mvzip(key, value, "~") | mvexpand z | rex field=z "(?<key>[^~]+)~(?<value>.*)" | eval {key} = value After extracting the fields, I can search based on only one field. This works . index="main"| rex max_match=0 field=message "(?<key>\w+)=(?<value>[^&]+)" | eval z=mvzip(key, value, "~") | mvexpand z | rex field=z "(?<key>[^~]+)~(?<value>.*)" | eval {key} = value | search country=US This does not work index="main"| rex max_match=0 field=message "(?<key>\w+)=(?<value>[^&]+)" | eval z=mvzip(key, value, "~") | mvexpand z | rex field=z "(?<key>[^~]+)~(?<value>.*)" | eval {key} = value | search country="US" AND currency="USD". It yields 0 results Any pointers please?

Karma given to

User

Karma Count

Posts	1
Solutions	0
Karma Given	1
Karma Received	0
Member Since	‎06-19-2020

Online Status	Offline
Date Last Visited	‎06-20-2020 05:52 AM