Okay, looking at the second search on the access_log you use "filename*=" so you don't actually search for a field called filename . The first thing you need to do here is create a field called filename and then it will work. Assuming the filename* thingy does not contain any spaces, try this:
( source="/opt/jboss/jboss-fuse/data/log/fuse.log" "Audience value in the JWT is" ) OR ( source="/opt/jboss/jboss-fuse/data/log/access_log" ("path=/rest/cases/" "filename*="))
| rex "filename[^=]*=(?<filename>[^\s]+)"
| eval filename=if(isnotnull(filename), filename, "none")
| stats values(*) AS * by breadcrumbid filename
Hope this helps ...
cheers, MuS
... View more
