using trace operator



  • Avatar
    Denis Brodsky

    attached example of output

    Comment actions Permalink
  • Avatar
    Kevin Keech

    The Trace operator requires two parameters:

    1.) A regular expression to find related messages

    2.) A starting value

    You are missing #2 in your queries, you would need to supply the starting TID you are attempting to trace through your messages. This is probably resulting in the error you see.

    ex. trace "tid=([0-9a-fA-F]{9})" "123abc123"

    Based on the rest of your query it may not return anything because you have already filtered out anything that is not part of the source category. Also the first parse command is going to drop any messages which do not include "tid:* " so if your other messages have the TID value defined as "tid=" then those are not going to be available to the trace.

    Here are a couple example of a trace that may work for you (where 1a2b3c4d5 would be your starting TID value).

     tid  | trace "tid:([0-9a-zA-Z]{9})"  "1a2b3c4d5"

    Or if tid is defined as both "tid=" and "tid:" in your logs:

    tid | trace "[tid:|tid=]([0-9a-zA-Z]{9})"  "1a2b3c4d5"



    Comment actions Permalink

Please sign in to leave a comment.