Hi Laya123,
try something like this:
index=ibm sourcetype=act host=KO*MRI65* OR host=KO*MRI75*
| rex field=_raw ".*.*ACT,(?[0-9]+ - [0-9|a-z|A-Z]+),.*" | rex field=_raw ".*ERROR: (?.*)"
| eval Tier=if(match(host,"KO...MRI65."), "Launch", "Publish")
| transaction activationID maxevents=10000 startswith="RemoteActivateServer START"
| eval ProjectStatus=case(match(_raw,"Connecting to DPM") , "Queued" , match(_raw,"Project .* activated"), "Activated" , match(_raw, "Activate failed"), "Failed")
| table activationID ProjectStatus
This was not tested - now it is. Still, maybe you need to adapt it to your needs; but it should get you started ...
cheers, MuS
... View more