How to do subquery?
Hello,
To give a brief background, we have multiple customers at our company. They each have an org assigned to them, and I am interested in the ability to filter the logs to only view error messages related to a specific customers org. We do not log the org value for all messages, however, we trace logs using requestids. I am interested in performing a subquery to output all the requestids in relation to a specific org and then perform a query of those requestids to determine logs that contain errors, warns, etc.
Currently i have the following subquery that works:
_sourceCategory=oracle/queue/*
| parse regex field=json_message "^OMP: (?<metric>.*)"
| json auto field=metric
| where orgId="XXXXXXXX"
| count by requestID
| compose requestID keywords
The above outputs all requestIDs, and i would like to place this subquery into my parent query as the following:
_sourceCategory=oracle/queue/*
[subquery:_sourceCategory=oracle/queue/*
| parse regex field=json_message "^OMP: (?<metric>.*)"
| json auto field=metric
| where orgId="XXXXXXXX"
| count by requestID
| compose requestID keywords
]
| json_level=ERROR
| timeslice 1m
| count by _sourceCategory
When attempting the above, I receive an error, that the field orgid not found. However, it succeeds when running the query alone. Do I need to reference the orgid in the parent query? Would greatly appreciate any help!
-
Hi Jeff,
Are there any logs in /oracle/queue* where there is no orgId field present? I would try the below query to filter on events with the orgId field.
_sourceCategory=oracle/queue/* orgId
[subquery:_sourceCategory=oracle/queue/* orgId
| parse regex field=json_message "^OMP: (?<metric>.*)"
| json auto field=metric
| where orgId="XXXXXXXX"
| count by requestID
| compose requestID keywords
]
| json_level=ERROR
| timeslice 1m
| count by _sourceCategoryAkash
Please sign in to leave a comment.
Comments
1 comment