Splunk Search

Am I doing this search correctly? where like()

HCadmins
Communicator

Hi:

Take a look at this ESXi log

2015-11-09T21:53:54.589Z cpu28:37021)MCE: 231: cpu28: bank7: MCA recoverable error (CE): "Memory Controller Read Error on Channel 0."

Using regex, I've extracted cpu28:37021) as field CPU and MCE: 231: cpu28: bank7: MCA recoverable error (CE): "Memory Controller Read Error on Channel 0."` as CPU_Message.

Now, I want to create a report that looks for the keywords MCE or MCA in the CPU_Message field. Doing wildcards won't work because there could be other words that contain mca or mce in them. I want to be alerted on any MCA or MCE errors specifically.

I've built this search

sourcetype=vmware:esxlog* | where like(CPU_Message, MCE) OR like(CPU_Message, MCA) | table host CPU CPU_Message

Will this accomplish what I want to do?

Thanks in advance!

0 Karma
1 Solution

sundareshr
Legend

Try this

sourcetype=vmware:esxlog* | where match(CPU_Message, "MC[E|A]") AND NOT match(CPU_Message, "recoverable") | table host CPU CPU_Message

This looks for an exact (regex) case-sensitive match

View solution in original post

0 Karma

sundareshr
Legend

Try this

sourcetype=vmware:esxlog* | where match(CPU_Message, "MC[E|A]") AND NOT match(CPU_Message, "recoverable") | table host CPU CPU_Message

This looks for an exact (regex) case-sensitive match

0 Karma

HCadmins
Communicator

Thank you! That worked well. Now how to I also exclude the word "recoverable"?

0 Karma

sundareshr
Legend

Try the updated query

0 Karma
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

Splunk is officially part of Cisco

Revolutionizing how our customers build resilience across their entire digital footprint.   Splunk ...

Splunk APM & RUM | Planned Maintenance March 26 - March 28, 2024

There will be planned maintenance for Splunk APM and RUM between March 26, 2024 and March 28, 2024 as ...