I want to create subsearch based on parent fields search. I want to show only rows from cor_inbox_entry that includes keys.OrderID. (keys.OrderID is substring of fullBodID)
Example for fullBodID : infor-nid:infor:111:APRD00908_2022-09-06T12:01:26Z:?ProductionOrder&verb=Process&event=10545
Example for keys.OrderID : APRD00908
index=elbit_im sourcetype=cor_inbox_entry
| spath input=C_XML output=bod path=ConfirmBOD.DataArea.BOD
| xpath outfield=fullBodID field=bod "//NameValue[@name='MessageId']"
|appendpipe
[ search "metadata.Composite"=ReportOPMes2LN
| search fullBodID = "*".keys.OrderID."*"]
| table _time, fullBodID
Any idea?
... View more