The problem I am having is the raw data looks like this: "[8/8/24 13:37:46:622 EDT] 00007e14 HOSTEDWIRES** I ************" What I am trying to do is do a search on the raw data find the "W" and "E"...
See more...
The problem I am having is the raw data looks like this: "[8/8/24 13:37:46:622 EDT] 00007e14 HOSTEDWIRES** I ************" What I am trying to do is do a search on the raw data find the "W" and "E" The problem I am having is the raw data looks like this: "[8/8/24 13:37:46:622 EDT] 00007e14 HOSTEDWIRES** W ************" or The problem I am having is the raw data looks like this: "[8/8/24 13:37:46:622 EDT] 00007e14 HOSTEDWIRES** E ************" A basic search I am using: (Sorry, I had to obfuscate some of the SPL. index="index" host IN ("Server 1","Server 2","Backup Server 1","Backup Server 2") source=* sourcetype=###_was_systemout_log | ("W" or "E") In WebSphere SystemOut logs, the warning or error indicator comes after the timestamp and application type. So, when I search for just ("W" or "E") it will pull everything that has "W" "E" in the text. How do I isolate it to search for that after the application type, and before the transaction raw data? I don't get to play with Splunk that much, so this is beyond my skill level. I am still learning. Thanks again for the help.