I have 2 sourcetypes. For each sourcetype having different error messages, how can I search those 2 different error messages to see if they happened in a bucket of 1 minute timespan?
sourcetyep=first OR sourcetyep=second_one ErrorMessage="timeout" OR ErrorMessage="brokenPipe" |bucket _time span=1m
Here's one way
( sourcetype=first OR sourcetype=second_one) (ErrorMessage="timeout" OR ErrorMessage="brokenPipe")
| sort 0 _time
| streamstats time_winidow=60s values(ErrorMessage) as ErrorMessage
| where mvcount(ErrorMessage) >1
i have change a logic that both the conditions was happened in a bucket of time 1 min , still its not working,
(sourcetype=nginx:apierror ErrorMessage="connect() failed (111: Connection refused) while connecting to upstream") AND (sourcetype=nginx:nginxerror ErrorMessage="open()*No such file or directory)") | streamstats time_window=60s values(ErrorMessage) as ErrorMessage| where mvcount(ErrorMessage) >1
Replace the AND with an OR in your search
(sourcetype=nginx:apierror ErrorMessage="connect() failed (111: Connection refused) while connecting to upstream") OR (sourcetype=nginx:nginxerror ErrorMessage="open()*No such file or directory)")
Your search will return events with (values A B) AND (values C D). Instead I think you want events with (values A B) OR (values C D)