index=cricket_index_idx sourcetype=tv (ServiceInvoker=",F," OR ServiceInvoker=",SE,") HOST=cricket STEP="europe/cricket/ronaldo/" | fields - _* | table *
This gave error message.
When i tried the following
** index=cricket_index_idx sourcetype=tv (service_status=",F," OR service_statusr=",SE,") HOST=cricket STEP="europe/cricket/ronaldo/" | fields - _* | table ***
It gave the whole log data again.
Sample data is appserver logs. In this the pattern from server appears many times. Sometimes the status is S i.e Success and at other times it is F or SE i.e not successful. We need to capture all the instances when it is F or SE. And in this pattern only, after the status, service name for which the status is F or SE is mentioned.
So, we need to check the status. if the status is F or SE then capture Service name
$$$$$$$$$$$$$##########ServiceInvoker,1.4,S,400,0,ServiceName########*
ServiceInvoker,1.4,S,400,0,ServiceName1**########
!!!!!!!!!!!!!!ServiceInvoker,1.4,S,400,0,ServiceName2
... View more