topic Re: Search a two messages from 6 hosts and show top 6 results in Splunk Search https://community.splunk.com/t5/Splunk-Search/Search-a-two-messages-from-6-hosts-and-show-top-6-results/m-p/561165#M159503 <P>it updated and resoled</P> Wed, 28 Jul 2021 09:41:06 GMT sandeepparcha44 2021-07-28T09:41:06Z Search a two messages from 6 hosts and show top 6 results https://community.splunk.com/t5/Splunk-Search/Search-a-two-messages-from-6-hosts-and-show-top-6-results/m-p/560699#M159364 <P>Hi</P><P>I am trying to search two strings in message like "Stopped successfully" and "connected" from 6 host names.</P><P>Please help me</P><P>am writing like below</P><P>Source="WinEventlog:applicaiton"</P><P>|rex "message\s(?&lt;message&gt;.*).*"</P><P>|search host like "host1" OR host Like "host2"</P><P>| search message="stopped succesfully" OR "Connected"</P><P>|table _time, host, message</P> Sun, 25 Jul 2021 06:20:34 GMT https://community.splunk.com/t5/Splunk-Search/Search-a-two-messages-from-6-hosts-and-show-top-6-results/m-p/560699#M159364 sandeepparcha44 2021-07-25T06:20:34Z Re: Search a two messages from 6 hosts and show top 6 results https://community.splunk.com/t5/Splunk-Search/Search-a-two-messages-from-6-hosts-and-show-top-6-results/m-p/560700#M159365 <P><a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/236790">@sandeepparcha44</a>&nbsp;</P><P>Try like this,</P><P>&nbsp;</P><LI-CODE lang="markup">Source="WinEventlog:applicaiton" (host="host1*" OR host="host2*") (message="*stopped succesfully*" OR message="*Connected*") | rex field=_raw "message\s(?&lt;message1&gt;.*).*" |table _time, host, message, message1</LI-CODE><P>&nbsp;</P><P>&nbsp;</P><P>KV&nbsp;</P> Wed, 28 Jul 2021 09:35:12 GMT https://community.splunk.com/t5/Splunk-Search/Search-a-two-messages-from-6-hosts-and-show-top-6-results/m-p/560700#M159365 kamlesh_vaghela 2021-07-28T09:35:12Z Re: Search a two messages from 6 hosts and show top 6 results https://community.splunk.com/t5/Splunk-Search/Search-a-two-messages-from-6-hosts-and-show-top-6-results/m-p/561161#M159499 <P>Thank you Kamalesh, its working for Hosts.</P><P>but am not getting "message"</P> Wed, 28 Jul 2021 09:31:55 GMT https://community.splunk.com/t5/Splunk-Search/Search-a-two-messages-from-6-hosts-and-show-top-6-results/m-p/561161#M159499 sandeepparcha44 2021-07-28T09:31:55Z Re: Search a two messages from 6 hosts and show top 6 results https://community.splunk.com/t5/Splunk-Search/Search-a-two-messages-from-6-hosts-and-show-top-6-results/m-p/561162#M159500 <P><a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/236790">@sandeepparcha44</a>&nbsp;</P><P>I have updated my answer. Can you please try it?</P> Wed, 28 Jul 2021 09:35:43 GMT https://community.splunk.com/t5/Splunk-Search/Search-a-two-messages-from-6-hosts-and-show-top-6-results/m-p/561162#M159500 kamlesh_vaghela 2021-07-28T09:35:43Z Re: Search a two messages from 6 hosts and show top 6 results https://community.splunk.com/t5/Splunk-Search/Search-a-two-messages-from-6-hosts-and-show-top-6-results/m-p/561163#M159501 <P>Are you spelling application wrong</P><LI-CODE lang="markup">WinEventlog:applicaiton</LI-CODE><P>should be&nbsp;</P><LI-CODE lang="markup">WinEventlog:application</LI-CODE> Wed, 28 Jul 2021 09:39:31 GMT https://community.splunk.com/t5/Splunk-Search/Search-a-two-messages-from-6-hosts-and-show-top-6-results/m-p/561163#M159501 bowesmana 2021-07-28T09:39:31Z Re: Search a two messages from 6 hosts and show top 6 results https://community.splunk.com/t5/Splunk-Search/Search-a-two-messages-from-6-hosts-and-show-top-6-results/m-p/561164#M159502 <P>Still same,</P><P>sample message in the log willbe like below</P><P>Message=Event : _*protocol* Name&nbsp; : tcp://servername:port</P> Wed, 28 Jul 2021 09:40:10 GMT https://community.splunk.com/t5/Splunk-Search/Search-a-two-messages-from-6-hosts-and-show-top-6-results/m-p/561164#M159502 sandeepparcha44 2021-07-28T09:40:10Z Re: Search a two messages from 6 hosts and show top 6 results https://community.splunk.com/t5/Splunk-Search/Search-a-two-messages-from-6-hosts-and-show-top-6-results/m-p/561165#M159503 <P>it updated and resoled</P> Wed, 28 Jul 2021 09:41:06 GMT https://community.splunk.com/t5/Splunk-Search/Search-a-two-messages-from-6-hosts-and-show-top-6-results/m-p/561165#M159503 sandeepparcha44 2021-07-28T09:41:06Z Re: Search a two messages from 6 hosts and show top 6 results https://community.splunk.com/t5/Splunk-Search/Search-a-two-messages-from-6-hosts-and-show-top-6-results/m-p/561166#M159504 <P>Still same,</P><P>sample message in the log will be like below</P><P>Message=Event : _*protocol* Name&nbsp; : tcp://servername:port</P> Wed, 28 Jul 2021 09:42:44 GMT https://community.splunk.com/t5/Splunk-Search/Search-a-two-messages-from-6-hosts-and-show-top-6-results/m-p/561166#M159504 sandeepparcha44 2021-07-28T09:42:44Z Re: Search a two messages from 6 hosts and show top 6 results https://community.splunk.com/t5/Splunk-Search/Search-a-two-messages-from-6-hosts-and-show-top-6-results/m-p/561170#M159507 <P><a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/236790">@sandeepparcha44</a>&nbsp;</P><P>Can you please try this?</P><LI-CODE lang="markup">Source="WinEventlog:applicaiton" (host="host1*" OR host="host2*") (message="*stopped succesfully*" OR message="*Connected*") | rex field=_raw "Message=(?&lt;message1&gt;.*).*" |table _time, host, message, message1</LI-CODE> Wed, 28 Jul 2021 09:49:41 GMT https://community.splunk.com/t5/Splunk-Search/Search-a-two-messages-from-6-hosts-and-show-top-6-results/m-p/561170#M159507 kamlesh_vaghela 2021-07-28T09:49:41Z Re: Search a two messages from 6 hosts and show top 6 results https://community.splunk.com/t5/Splunk-Search/Search-a-two-messages-from-6-hosts-and-show-top-6-results/m-p/561171#M159508 <P>it worked , but i have to add</P><P>&nbsp;</P><P>"Message=Event*(?&lt;message1&gt;.*).*</P><P>&nbsp;</P><P>Thank you..</P> Wed, 28 Jul 2021 09:53:43 GMT https://community.splunk.com/t5/Splunk-Search/Search-a-two-messages-from-6-hosts-and-show-top-6-results/m-p/561171#M159508 sandeepparcha44 2021-07-28T09:53:43Z