Say you have two log lines that can be parsed like this:
parse "Foo *," as fooId
parse "Bar *," as barId
("fooId" and "barId" are the same id, just named differently in the query fragments here.)
In the happy path case, one of the "Foo" entries should be followed a short time later by a matching "Bar" entry (where fooId == barId).
I want to query for problem cases where we have a "Foo" entry that does not have a matching "Bar" entry. Is there a way to do that with subqueries or maybe some other way?
I've tried something like this and it seems to match all the "Foo" entries -
| parse "Foo *," as fooIds
| where ![subquery:_collector="xxx"
| parse "Bar *," as barId
| where fooId == barId
| count by barId | fields barId
| compose barId
Please sign in to leave a comment.