Is this returned in a single event or two separate events? i.e:
event 1 = [1421755004] SERVICE ALERT: oradb4;Bond1 TX;CRITICAL;SOFT;1;CHECK_NRPE: Socket timeout after 10 seconds.
event 2 = [1421755004] SERVICE ALERT: nagios;Eth0 TX;WARNING;SOFT;1;WARNING: Uso de eth0 para TX: 11167 kb/s
or
event 1 = [1421755004] SERVICE ALERT: oradb4;Bond1 TX;CRITICAL;SOFT;1;CHECK_NRPE: Socket timeout after 10 seconds.
[1421755004] SERVICE ALERT: nagios;Eth0 TX;WARNING;SOFT;1;WARNING: Uso de eth0 para TX: 11167 kb/s
If these are two events, limit the results of your search to exclude the unwanted event index=your_index "your search criteria" "SERVICE ALERT: oradb4*" etc.
If it is a single event then you can end the event using a transaction index=your_index "your search criteria" "SERVICE ALERT: oradb4*" | transaction endswith="Socket timeout after 10 seconds."
... View more