https://community.splunk.com/t5/Splunk-Search/How-to-search-two-strings-and-create-a-message-in-email-body/m-p/634956#M220578 <P>Hi Team,</P> <P>I am trying to search &lt;string1&gt; and &lt;String2&gt; from different lines in same log having 100 lines, if both matched i want to show in result with _time, Sring1, String2. Please assist me.</P> <P>Sample log is like below</P> <P>... 66 lines omitted ...</P> <P>Linexx</P> <P>Linexx ]: "&lt;string1&gt;"</P> <P>Linexx &lt;string2&gt;</P> <P>&nbsp;</P> <P>Result should be link&nbsp;</P> <P>_time , String1&nbsp;</P> Fri, 17 Mar 2023 17:33:20 GMT sandeepparcha44 2023-03-17T17:33:20Z https://community.splunk.com/t5/Splunk-Search/How-to-search-two-strings-and-create-a-message-in-email-body/m-p/634956#M220578 <P>Hi Team,</P> <P>I am trying to search &lt;string1&gt; and &lt;String2&gt; from different lines in same log having 100 lines, if both matched i want to show in result with _time, Sring1, String2. Please assist me.</P> <P>Sample log is like below</P> <P>... 66 lines omitted ...</P> <P>Linexx</P> <P>Linexx ]: "&lt;string1&gt;"</P> <P>Linexx &lt;string2&gt;</P> <P>&nbsp;</P> <P>Result should be link&nbsp;</P> <P>_time , String1&nbsp;</P> Fri, 17 Mar 2023 17:33:20 GMT https://community.splunk.com/t5/Splunk-Search/How-to-search-two-strings-and-create-a-message-in-email-body/m-p/634956#M220578 sandeepparcha44 2023-03-17T17:33:20Z https://community.splunk.com/t5/Splunk-Search/How-to-search-two-strings-and-create-a-message-in-email-body/m-p/634964#M220584 <P>If the 100 lines are all in the same event then a simple AND should do it.</P><LI-CODE lang="markup">index=foo "string1" "string2" | eval string1="string1" | table _time string1</LI-CODE><P>The result will not be a link, however.</P><P>If the 100 lines are in separate events then correlating string1 and string2 requires something common to the two events.&nbsp; What would that be?</P> Fri, 17 Mar 2023 17:58:18 GMT https://community.splunk.com/t5/Splunk-Search/How-to-search-two-strings-and-create-a-message-in-email-body/m-p/634964#M220584 richgalloway 2023-03-17T17:58:18Z https://community.splunk.com/t5/Splunk-Search/How-to-search-two-strings-and-create-a-message-in-email-body/m-p/634997#M220603 <P>Thank you for reply,</P><P>Sorry i missed one thing, Sting 1 is like "*(DC)_String1",&nbsp; when it is showing result it show DC_String1. Is it possible.</P><P>Example like AZ_String1 or TX_String1 like this.</P> Sat, 18 Mar 2023 04:24:06 GMT https://community.splunk.com/t5/Splunk-Search/How-to-search-two-strings-and-create-a-message-in-email-body/m-p/634997#M220603 sandeepparcha44 2023-03-18T04:24:06Z https://community.splunk.com/t5/Splunk-Search/How-to-search-two-strings-and-create-a-message-in-email-body/m-p/635009#M220607 <P>It is possible only if you state the problem accurately. &nbsp;Using the same formula as&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/213957">@richgalloway</a>'s,</P><LI-CODE lang="markup">index=foo "*_String1" "string2" | rex "\b(?&lt;dc_string&gt;\w+_String1)\b" | table _time dc_string</LI-CODE><P>Based on your example, the above assumes that this (DC)_String1 is surrounded by word boundaries.</P> Sat, 18 Mar 2023 08:24:24 GMT https://community.splunk.com/t5/Splunk-Search/How-to-search-two-strings-and-create-a-message-in-email-body/m-p/635009#M220607 yuanliu 2023-03-18T08:24:24Z https://community.splunk.com/t5/Splunk-Search/How-to-search-two-strings-and-create-a-message-in-email-body/m-p/635015#M220609 <P><SPAN>Example like AZ_String1 or TX_String1 like this.</SPAN></P> Sat, 18 Mar 2023 08:50:21 GMT https://community.splunk.com/t5/Splunk-Search/How-to-search-two-strings-and-create-a-message-in-email-body/m-p/635015#M220609 sandeepparcha44 2023-03-18T08:50:21Z https://community.splunk.com/t5/Splunk-Search/How-to-search-two-strings-and-create-a-message-in-email-body/m-p/635041#M220623 <P>Then the above rex should give you that.</P> Sat, 18 Mar 2023 19:04:52 GMT https://community.splunk.com/t5/Splunk-Search/How-to-search-two-strings-and-create-a-message-in-email-body/m-p/635041#M220623 yuanliu 2023-03-18T19:04:52Z https://community.splunk.com/t5/Splunk-Search/How-to-search-two-strings-and-create-a-message-in-email-body/m-p/635061#M220635 <P>A side note - remember that searching for terms with a wildcard at the start is very inefficient.</P> Sun, 19 Mar 2023 10:08:41 GMT https://community.splunk.com/t5/Splunk-Search/How-to-search-two-strings-and-create-a-message-in-email-body/m-p/635061#M220635 PickleRick 2023-03-19T10:08:41Z