Are you a member of the Splunk Community?
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Search log for alert
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Have good day for Everybody
Pls help me to search exactly the content.
My input log is:
status system replication site "1": ERROR
status system replication site "3": ACTIVE
overall system replication status: ERROR.
My search and will add the alert:
index="...." host="..." status system replication site "1": ACTIVE | head 1
the result is:
status system replication site "1": ERROR
status system replication site "3": ACTIVE
overall system replication status: ERROR.
But i couldn't know: site "1" ACTIVE or ERROR.
Pls help me define the searching.
Thank
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Giuseppe,
The full one log have 32 line. i only copy the 3 line. This is not the log. Only i export the command line to the log file and send his file to the splunk. The log content is:
| SYSTEMDB | p-crm-db01 | 30601 | nameserver | 1 | 2 | CRM01 | p-crm-db02 | 30601 | 1 | CRM02 | YES | SYNC | ACTIVE | |
| QP2 | p-crm-db01 | 30652 | indexserver | 2 | 2 | CRM01 | p-crm-db02 | 30652 | 1 | CRM02 | YES | SYNC | ACTIVE | |
| RP2 | p-crm-db01 | 30640 | indexserver | 2 | 2 | CRM01 | p-crm-db02 | 30640 | 1 | CRM02 | YES | SYNC | ACTIVE | |
| JP2 | p-crm-db01 | 30646 | indexserver | 2 | 2 | CRM01 | p-crm-db02 | 30646 | 1 | CRM02 | YES | SYNC | ACTIVE | |
| CP2 | p-crm-db01 | 30643 | indexserver | 2 | 2 | CRM01 | p-crm-db02 | 30643 | 1 | CRM02 | YES | SYNC | ACTIVE | |
| OP2 | p-crm-db01 | 30649 | indexserver | 2 | 2 | CRM01 | p-crm-db02 | 30649 | 1 | CRM02 | YES | SYNC | ACTIVE | |
status system replication site "1": ACTIVE
status system replication site "3": ERROR
overall system replication status: ERROR
Show that i want to detect the log file about that:
status system replication site "3": ACTIVE or ERROR.
If i search the content about that:
index=linux host="..." ("status system replication site "3": ACTIVE")
the result is :
status system replication site "1": ACTIVE
status system replication site "3": ERROR
overall system replication status: ERROR
This is false the result.
Thank
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Giuseppe,
The full one log have 32 line. i only copy the 3 line. This is not the log. Only i export the command line to the log file and send his file to the splunk. The log content is:
| SYSTEMDB | p-crm-db01 | 30601 | nameserver | 1 | 2 | CRM01 | p-crm-db02 | 30601 | 1 | CRM02 | YES | SYNC | ACTIVE | |
| QP2 | p-crm-db01 | 30652 | indexserver | 2 | 2 | CRM01 | p-crm-db02 | 30652 | 1 | CRM02 | YES | SYNC | ACTIVE | |
| RP2 | p-crm-db01 | 30640 | indexserver | 2 | 2 | CRM01 | p-crm-db02 | 30640 | 1 | CRM02 | YES | SYNC | ACTIVE | |
| JP2 | p-crm-db01 | 30646 | indexserver | 2 | 2 | CRM01 | p-crm-db02 | 30646 | 1 | CRM02 | YES | SYNC | ACTIVE | |
| CP2 | p-crm-db01 | 30643 | indexserver | 2 | 2 | CRM01 | p-crm-db02 | 30643 | 1 | CRM02 | YES | SYNC | ACTIVE | |
| OP2 | p-crm-db01 | 30649 | indexserver | 2 | 2 | CRM01 | p-crm-db02 | 30649 | 1 | CRM02 | YES | SYNC | ACTIVE | |
status system replication site "1": ACTIVE
status system replication site "3": ERROR
overall system replication status: ERROR
Show that i want to detect the log file about that:
status system replication site "3": ACTIVE or ERROR.
If i search the content about that:
index=linux host="..." ("status system replication site "3": ACTIVE")
the result is :
status system replication site "1": ACTIVE
status system replication site "3": ERROR
overall system replication status: ERROR
This is false the result.
Thank
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi dangtran,
beware that you have quotes in your strings so you have to escape them in searches
index=linux host="..." "status system replication site \"3\": ACTIVE"
or use a rex command
index=linux host="..." | rex "status system replication site \"3\": ACTIVE"
in this way you take only the row where you have status system replication site "3": ACTIVE
Bye.
Giuseppe
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Giuseppe,
This working. Thank you very much.
Have good day for you.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi dangtran,
let me understand: do you want to find the first occurrance of the string status system replication site "1": ACTIVE or other?
If you want the exact string use quotes (").
There's a thing that I don't understand: you used | head 1, why you say that you received as result three strings?
status system replication site "1": ERROR
status system replication site "3": ACTIVE
overall system replication status: ERROR.
In addition, in your example there isn't any row that matches the search string, so you should not have any result.
Bye.
Giuseppe
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
If you're satisfied, pleace accept or upvote my answer.
By.
Giuseppe
.conf25 Community Recap
Splunk App Developers | .conf25 Recap & What’s Next
Congratulations to the 2025-2026 SplunkTrust!
