This is getting closer thanks! Though I have a couple of bumps that need ironing out.
Checking the search job inspector, I can see that it has evaluated the subsearch expression and has found the correct value, and incorporated into my main search - perfect. Though I'm returning no results...doh. I think it might be because the field name I am using.
When I find the track trace initially, it comes from an xml field named , which I was calling tracktrace in my rex. However when I am using that value to find the appropriate logs in my main search the xml field name is .
The subsearch then goes looking for tracktrace="M40GW2014092911354947166" which can't be found.
Can I somehow still use the value/result (M40GW2014092911354947166) from the subsearch and populate that into the main search in a way that it can find the event
i.e. If I just type into search "M40GW2014092911354947166" it would return the correct event.
Or am I naming the field incorrectly that I could do another way? Currently:
rex "(?i)'<'ns2:MessageTrackTrace'>'(?P'<'tracktrace'>'[^<]+)"
without internal ' ' on arrows.
... View more