count condition

ytl — Fri, 08 Apr 2011 06:21:58 GMT

so i have logs where a log entry is generated when things are bad; and another when it's good. i can typically use 'transaction' to group these together; however, i only care to get information when i get one entry (bad) but not the related other (good).

so i have each event tagged with 'up' or 'down', so i was thinking of doing something where if the last entry is 'down', then i want some output - like in a table by the host.

any idea how this could be implemented?

Re: count condition

netwrkr — Fri, 08 Apr 2011 19:33:13 GMT

This isn't too hard. Using the transaction command along with 'startswith' and 'endswith' you want to search on transactions that aren't closed and then output those unclosed (or evicted) transactions "|search closed_txn=0"

keepevicted= Description: Whether to output evicted transactions. Evicted transactions are events that do NOT match the transaction parameters; for example, the time range is wrong, or the "startswith" or "endswith" requirements are missing. Evicted transactions can be distinguished from non-evicted transactions by checking the value of the 'closed_txn' field, which is set to '0' for evicted transactions and '1' for closed ones. A transaction is evicted from memory when the memory limitations are reached.

HTH

topic count condition in Alerting

count condition

Re: count condition