splunk check if message contains certain string
In Splunk search query how to check if log message has a text or not?
Log message:
message: 2018-09-21T07:15:28,458+0000 comp=hub-lora-ingestor-0 [vert.x-eventloop-thread-0] INFO com.nsc.iot.hono.receiver.HonoReceiver - Connected successfully, creating telemetry consumer ...
and I want to check if message contains "Connected successfully, creating telemetry consumer ..." and based on this want to assign 1 or 0 to a variable
Splunk search Query
(index="05c48b55-c9aa-4743-aa4b-c0ec618691dd" ("Retry connecting in 1000ms ..." OR "Connect or create consumer failed with exception" OR "Connected successfully, creating telemetry consumer ..."))
| rex field=_raw ^(?:[^ \n]* ){7}(?P<success_status_message>\w+\s+\w+,\s+\w+\s+\w+\s+\w+)"
| timechart count as status | eval status=if(isnull(success_status_message), 0, 1)
success_status_message is always null
Answer
Part of the problem is the regex string, which doesn't match the sample data. Another problem is the unneeded timechart command, which filters out the 'success_status_message' field. Try this search:
(index="05c48b55-c9aa-4743-aa4b-c0ec618691dd" ("Retry connecting in 1000ms ..." OR "Connect or create consumer failed with exception" OR "Connected successfully, creating telemetry consumer ..."))
| rex "\s-\s(?P<success_status_message>.*)"
| eval status=if(match(success_status_message, "Connected successfully, creating telemetry consumer"), 1, 0)