My sample events look like this , API logs
{
location: Southeast Asia,
properties: {
backendMethod: GET
errors: [
{some huge nested object},
{some huge nested object}
]
}
}
I want to search only the events with the "errors" field. If the API is successful, it does not have this "errors" field, and I don't want to search them. I have tried {baseSearch} | where mvcount('properties.errors') > 0 , this return nothing {baseSearch} | where mvcount("properties.errors") > 0 , returning even the events without the "errors" field {baseSearch} | where isnotnull('properties.errors'), this return nothing {baseSearch} | where isnotnull("properties.errors"),returning even the events without the "errors" field {baseSearch} | "properties.errors"=*. , this return nothing I just need something simple like {baseSearch} | where exist(properties.errors), what is the most simple way
... View more