Hello, I am trying to do what i believe would be a correlated subquery. I need to search a file for a value, then re-search that same file for everything related to that value.
In a log file of all items and the messages produced as they are processed, I need to search for specific failure messages, grab the item that failed and re-search the file for all messages related to that item. What I currently have: source="logs" host="test"
[
search source="logs" host="test" ("failed to subtract" OR "failed to add")
| rex "^[(?<item>[\w.-]+)\].+"
| dedup item
| fields + item
]
| rex "^[(?<item>[\w.-]+)\]\s(?<message>.+)"
| table _time, item, message
The inner [search] gives results on its own, but when placed as a subsearch, the whole provides no results.
Any help would be appreciated!
... View more