Below is the log example.
Fri Oct 11 20:01:48 2019: History was not closed with a proper agent termination after the above date.
Fri Oct 11 20:01:48 2019: Repairing of history database started...
Fri Oct 11 20:01:48 2019: NumRead 48 NumWritten 48
Fri Oct 11 20:01:48 2019: Successfully fixed parameter history database.
Fri Oct 11 20:01:48 2019: NumRead 48 NumWritten 48
Fri Oct 11 20:01:48 2019: Successfully fixed annotation database.
Fri Oct 11 20:01:48 2019: Repairing of history database was completed successfully
The first and last lines were the 2 strings that I was looking for in the log.
I wanted to create a search to return a list of servers' name where only string 1 is found and string2 is NOT. Because it's parsed as a separate event for each timestamp, simple "search1 NOT search2" doesn't work. I tried subsearch like search string 1 NOT [search string 2] and it still didn't work as what I expected. Any idea? Thanks.
Zhang
yeah, so that's what you are getting. add |table server
at the end. I am assuming that all the servers are stored in a field. if not then you would have to extract it.
Cool... Thank you very much!! It worked.
try this:
index=<your_index> | eval field=case(like(_raw,"%History was not closed with a proper agent termination after the above date%"),"value1",like(_raw,"%Repairing of history database was completed successfully%"),"value2")
| stats dc(field) as dc_field values(field) as field by server
| where dc_field="1" AND field=value1
If it works for you please accept the answer to close this question.