Re: How to search two strings and create a message...

sandeepparcha44 · ‎03-17-2023

Hi Team,

I am trying to search <string1> and <String2> from different lines in same log having 100 lines, if both matched i want to show in result with _time, Sring1, String2. Please assist me.

Sample log is like below

... 66 lines omitted ...

Linexx

Linexx ]: "<string1>"

Linexx <string2>

Result should be link

_time , String1

richgalloway · ‎03-17-2023

If the 100 lines are all in the same event then a simple AND should do it.

index=foo "string1" "string2"
| eval string1="string1"
| table _time string1

The result will not be a link, however.

If the 100 lines are in separate events then correlating string1 and string2 requires something common to the two events. What would that be?

---
If this reply helps you, Karma would be appreciated.

sandeepparcha44 · ‎03-17-2023

Thank you for reply,

Sorry i missed one thing, Sting 1 is like "*(DC)_String1", when it is showing result it show DC_String1. Is it possible.

Example like AZ_String1 or TX_String1 like this.

PickleRick · ‎03-19-2023

A side note - remember that searching for terms with a wildcard at the start is very inefficient.

yuanliu · ‎03-18-2023

It is possible only if you state the problem accurately. Using the same formula as @richgalloway's,

index=foo "*_String1" "string2"
| rex "\b(?<dc_string>\w+_String1)\b"
| table _time dc_string

Based on your example, the above assumes that this (DC)_String1 is surrounded by word boundaries.

sandeepparcha44 · ‎03-18-2023

Example like AZ_String1 or TX_String1 like this.

yuanliu · ‎03-18-2023

Then the above rex should give you that.

How to search two strings and create a message in email body?

eval

regex

search job inspector

Announcing Scheduled Export GA for Dashboard Studio

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!