Splunk Search

Search a two messages from 6 hosts and show top 6 results

sandeepparcha44
Explorer

Hi

I am trying to search two strings in message like "Stopped successfully" and "connected" from 6 host names.

Please help me

am writing like below

Source="WinEventlog:applicaiton"

|rex "message\s(?<message>.*).*"

|search host like "host1" OR host Like "host2"

| search message="stopped succesfully" OR "Connected"

|table _time, host, message

Labels (2)
0 Karma

kamlesh_vaghela
SplunkTrust
SplunkTrust

@sandeepparcha44 

Can you please try this?

Source="WinEventlog:applicaiton" (host="host1*" OR host="host2*") (message="*stopped succesfully*" OR message="*Connected*")
| rex field=_raw "Message=(?<message1>.*).*"
|table _time, host, message, message1

sandeepparcha44
Explorer

it worked , but i have to add

 

"Message=Event*(?<message1>.*).*

 

Thank you..

0 Karma

sandeepparcha44
Explorer

Still same,

sample message in the log will be like below

Message=Event : _*protocol* Name  : tcp://servername:port

0 Karma

sandeepparcha44
Explorer

Still same,

sample message in the log willbe like below

Message=Event : _*protocol* Name  : tcp://servername:port

0 Karma

bowesmana
SplunkTrust
SplunkTrust

Are you spelling application wrong

WinEventlog:applicaiton

should be 

WinEventlog:application

sandeepparcha44
Explorer

it updated and resoled

0 Karma

sandeepparcha44
Explorer

Thank you Kamalesh, its working for Hosts.

but am not getting "message"

0 Karma

kamlesh_vaghela
SplunkTrust
SplunkTrust

@sandeepparcha44 

I have updated my answer. Can you please try it?

0 Karma

kamlesh_vaghela
SplunkTrust
SplunkTrust

@sandeepparcha44 

Try like this,

 

Source="WinEventlog:applicaiton" (host="host1*" OR host="host2*") (message="*stopped succesfully*" OR message="*Connected*")
| rex field=_raw "message\s(?<message1>.*).*" 
|table _time, host, message, message1

 

 

KV 

Get Updates on the Splunk Community!

Adoption of RUM and APM at Splunk

    Unleash the power of Splunk Observability   Watch Now In this can't miss Tech Talk! The Splunk Growth ...

March Community Office Hours Security Series Uncovered!

Hello Splunk Community! In March, Splunk Community Office Hours spotlighted our fabulous Splunk Threat ...

Stay Connected: Your Guide to April Tech Talks, Office Hours, and Webinars!

Take a look below to explore our upcoming Community Office Hours, Tech Talks, and Webinars in April. This post ...