How would I filter my search to select specific orderId in the message field?
deviceId: 12345678
logLevel: INFO
message: --> GET https://example.myorder.com/orders
ADRUM_1: isMobile:true
ADRUM: isAjax:true
--> END GET
<-- 200 https://example.myorder.com/orders (974ms)
date: Wed, 10 Aug 2022 22:16:45 GMT
content-type: application/json; charset=utf-8
x-amzn-requestid: 1234
x-amz-apigw-id: 8901234
x-amzn-trace-id: Root=1-64cef
{"orders":[{"orderId":"99099816588465820255","orderType":"large","orderState":"Ready to Ship","customer":{"firstname":"Stack","surname":"Overflow","email":"example@acme.com","address":{"street1":"23 Elm St","state":"NY","country":"US","city":"New York","postalCode":"10001-1595"}},"orderStateTimestamp":"2022-07-26T15:00:20.617Z","orderCreateTimestamp":"2022-07-26T14:43:01.208Z","batch":{"id":"678-987"}} ...
<-- END HTTP (725966-byte body)
There are a few ways to do that. The first is to simply scan for the orderId in the base search.
index=foo <<orderId>>
but that may produce false positives if the order ID value can appear elsewhere. We can narrow the possibilities to the message field this way
index=foo message="*<<orderId>>*" OR
index=foo message="*orderId\":\"<<orderId>>\"*"
but leading wildcards are terrible for performance.
Examining the message field after the base search should reduce the false positives.
index=foo
| where match(message, "orderId\\\":\\\"<<orderId>>\\\"")
or
index=foo
| rex field=message "orderId\\\":\\\"(?<orderId>[^\\\"]+)"
| where orderId == <<orderId>>
NB: In all of the examples, <<orderId>> should be replaced by the value sought.