I have a web application where each incoming request is given a unique requestID so we can see all the logs for that particular 'request'. This isn't currently a field, but I could/probably should make it one. I am looking for particular events where we log a problem. I want to pull the requestID for all of these events and show the entire 'request' for all of them. So far looking around it seems the 'map' command is the way to do this. What I haven't seen or figured out is how to do this for multiple requestIDs at once exactly. index=foo REQUEST_TIME>2000 | rex field=_raw "^\[\((?<REQID>[^\)]*)" | map search="index=foo $REQID$" That's the best I've come up with. The regex works because if I pass it to something else like stats count I can see the value with a count of 1. index=foo REQUEST_TIME>2000 | rex field=_raw "^\[\((?<REQID>[^\)]*)" | stats count by REQID So I am close I think. I'd like to make it work before I change the log output to make reqid a field.
... View more
