...
_source=BridgeServer2-Prod MetricsFilter reauth "\"status\":200" "\"user_agent\":\"Blood Pressure/88" | parse "\"remote_address\":\"\"" as ipAddress | where [subquery: _source=BridgeServer2-Prod MetricsFilter reauth "\"status\":404" "\"user_agent\":\"Blood Pressure/88" | parse "\"remote_address\":\"\"" as ipAddress | count ipAddress | compose ipAddress] | count ipAddress | order by _count desc
Get all MetricsFilter entries for reauth calls that succeeded that also had failing reauth calls in the same time frame.
_source=BridgeServer2-Prod MetricsFilter | parse "\"request_id\":\"*\"" as requestId | where [subquery:_source=BridgeServer2-Prod error "broken pipe" | parse regex "(?<D>ERROR)" | parse "BridgeExceptionHandler - request: * " as requestId | compose requestId]
Get all MetricsFilter entries for all requests affected by broken pipe errors.
Nested queries. Also works with where ![subquery: ...].