Hi
I have a specific event massage that I'm trying to search for.
Now my ideal seach string looks like this:
index=bec_ci_prod deploy_status_type=info direction=exiting method=execute_package
Now this search string does not give me a result.
But if I remove the last token from the serach like this:
index=bec_ci_prod deploy_status_type=info direction=exiting
Then I get a result
I know the event data is their because I can search specifically for it.
The text that contain what im looking for looks like this:
12:13:49|INFO|internals.py|147| [deploy_status] deploy_status_type=info direction=exiting method=execute_package file=deploy_profile.py engine_type=was method_duration=562156
Any ideas of how to do a search that would show this ?
Kind Regards
Henrik
Ok part of the issue is when you add terms in the form of a=b, Splunk is looking for Key Value Pairs. KV pairs have to be extracted. Try either extracting those Key Value Pairs, or running a literal search by enclosing the terms in quotes.
index=bec_ci_prod SWIFT-TEST-RMA-AskProfileDeploySwitch AND ("deploy_status_type=info" AND "direction=exiting" AND "method=execute_package")
Hi Guys
Thanks for the Input, the result was that :
index=bec_ci_prod ("deploy_status_type=info" AND "direction=exiting" AND "method=execute_package")
Actually do work. It did return the expected result I just missed it the first run throw.
Thanks a lot for the assist
Ok part of the issue is when you add terms in the form of a=b, Splunk is looking for Key Value Pairs. KV pairs have to be extracted. Try either extracting those Key Value Pairs, or running a literal search by enclosing the terms in quotes.
index=bec_ci_prod SWIFT-TEST-RMA-AskProfileDeploySwitch AND ("deploy_status_type=info" AND "direction=exiting" AND "method=execute_package")
Hi I tried modifying the search string as you suggested.
However this search string:
index=bec_ci_prod SWIFT-TEST-RMA-AskProfileDeploySwitch AND ("deploy_status_type=info" AND "direction=exiting" AND "method=execute_package")
Is just to verify that the event I want in my list is actually their. The original search string also return the event:
index=bec_ci_prod SWIFT-TEST-RMA-AskProfileDeploySwitch deploy_status_type=info direction=exiting method=execute_package
The goal is to have a search string that looks like this:
index=bec_ci_prod ("deploy_status_type=info" AND "direction=exiting" AND "method=execute_package")
and that will return a list with all the events with this data in it :
EVENT1
12:51:35|INFO|internals.py|147| [deploy_status] deploy_status_type=info direction=exiting method=execute_package file=deploy_profile.py engine_type=was method_duration=406745
... 81 lines omitted ...
source = H:\hudson\jobs\INET-SANDBOX-SERVLETETICKET-AskDeploySwitch\builds\2016-09-06_12-4
EVENT2
12:13:47|INFO|bitvise.py|408| [b00011103134.res.bec.dk] 12:13:47|INFO|install_profile.py|860| DEPLOYMENT OF rma_test was FINISHED! 12:13:49|INFO|internals.py|147| [deploy_status] deploy_status_type=info direction=exiting method=execute_package file=deploy_profile.py engine_type=was method_duration=562156
source = H:\hudson\jobs\SWIFT-TEST-RMA-AskProfileDeploySwitch\builds\2016-09-06_12-02-46\log
As I can see it the only difference between these two events is the source information. But do not want to use that either
So in short the search string : index=bec_ci_prod ("deploy_status_type=info" AND "direction=exiting" AND "method=execute_package")
Need to return EVENT1 & EVENT2 but currently only EVENT1 is in my result
Hi
I think I need to clarify the search string : index=bec_ci_prod deploy_status_type=info direction=exiting method=execute_package
Does return a result however there is a certain event that should fit this search criteria, but its not in the search result.
This is the text from an event that is in the result:
09:46:15|INFO|internals.py|147| [deploy_status] deploy_status_type=info direction=exiting method=execute_package file=deploy_profile.py engine_type=http method_duration=48977
Now this is the text from the event that is NOT in the result:
12:13:49|INFO|internals.py|147| [deploy_status] file=deploy_profile.py engine_type=was method_duration=562156
I have a Unique search string that does return the specific event that should be in the result.
This string return the event:
index=bec_ci_prod SWIFT-TEST-RMA-AskProfileDeploySwitch deploy_status_type=info direction=exiting
This string does not:
index=bec_ci_prod SWIFT-TEST-RMA-AskProfileDeploySwitch deploy_status_type=info direction=exiting method=execute_package
I have no idea way this is 🙂
Your search terms are implicitly combined using a boolean AND operation. Any events that do not have a method field will consequentially not qualify for your result set.
In other words: You are explicitly looking for method=execute_package but that key/value pair is not present in the log event you have listed as not showing up. So, the results are as expected.
Hi your right the text I posted did not contain the information. I think there was a copy/paste issue.
Because the event I expect to have on my list has this data:
12:13:49|INFO|internals.py|147| [deploy_status] deploy_status_type=info direction=exiting method=execute_package file=deploy_profile.py engine_type=was method_duration=562156
And the method field is in the text. But it just not in my result set.
And the text from a event that IS shown
12:54:03|INFO|internals.py|147| [deploy_status] deploy_status_type=info direction=exiting method=execute_package file=deploy_profile.py engine_type=was method_duration=1024765
My timerange of my serach it only 1 hour on a specific date so I know that the event I except is there
I can get the event in my result by writing :
index=bec_ci_prod SWIFT-TEST-RMA-AskProfileDeploySwitch ("deploy_status_type=info" AND "direction=exiting" AND "method=execute_package")
But I need the search string to look something like this:
index=bec_ci_prod ("deploy_status_type=info" AND "direction=exiting" AND "method=execute_package")
This text: SWIFT-TEST-RMA-AskProfileDeploySwitch is different for most events
I have a feeling your fields arent being extracted properly. What do you get if you do the following:
index=bec_ci_prod deploy_status_type=info direction=exiting | table deploy_status_type direction method
Do you have any values for method? If not you need to work on your field extractions...