I have written two individual queries that both return the expected results.
A.
tag=*tag name*
location="*location name*"
message="*error message*"
status=400
| rex field=_raw "*string from log* (?\w+[@]\S+)@*string from log*"
| rex field=_raw "_(?\w+)\]"
B.
tag=*tag name*
"*string from log*"
"\"status\":400"
"*string from log*"
| rex field=*field name* "_(?\w+)"
However, when I join the two queries, no results are returned.
C.
tag=*tag name*
location="*location name*"
message="*error message*"
status=400
| rex field=_raw "*string from log* (?\w+[@]\S+)@*string from log*"
| rex field=_raw "_(?\w+)\]"
| join type=inner login_dye
[search
tag=*tag name*
"*string from log*"
"\"status\":400"
"*string from log*"
| rex field=*field name* "_(?\w+)"
| eval Date=strftime(_time, "%m-%d-%y")]
| eval user_email="'".user_email."',"
| dedup Date, user_email
| table Date, user_email
The main search returns a large number of results. However, the sub-search returns a relatively small number of results, so the sub-search should not be timing out. I also get no messages indicating such, and no other errors or messages.
↧
