I'm making a table that reports the error events on servers. I was able to make this work fine, allowing it to show the error string, the host and directory it occurred on, and the time it occurred. Now, I would like to make it so the user can type in key words in a text field and the table will only show the events that have these word. When I tried to do this, however, the table returned "No results found." For example, I can have the text input set to the default `*` and it will show the errors fine, but if I type in "ERROR," which all the events have, it will give me know results found.
Here is the string I am using:
host=$hosttok1$ "ERROR" sourcetype=streamer_nohup source=$sourcetok1$| regex _raw!="WARN"| rex "(?\w{5}\s+.{100})"| table _time host source error| search error=$texttok1$
This is based on a previous table I made that shows IP address and allows you to seek specific IP addresses:
index=qp_mds sourcetype=mds_perf host=$hosttok1$| rex "(?\d+\.\d+\.\d+\.\d+)" | table _time host IP| search IP=$texttok1$
Note that the IP table works exactly as intended.
↧