How to not include LD_PRELOAD in Error Alerts?

aditsss — Mon, 22 Aug 2022 12:05:46 GMT

Hi All,

I have created Alerts on the basis of Error keyword . Below is one of my alert

index=abc ns=blazegateway-c2 CASE(ERROR) NOT "INTERNAL_SERVER_ERROR"|rex field=_raw "(?<!LogLevel=)ERROR(?<Error_Message>.*)"|eval _time = strftime(_time,"%Y-%m-%d %H:%M:%S.%3N")| cluster showcount=t t=0.4|table app_name, Error_Message ,cluster_count,_time, environment, pod_name,ns |dedup Error_Message| rename app_name as APP_NAME, _time as Time, environment as Environment, pod_name as Pod_Name, cluster_count as Count

On the basis of above query I am getting one of the Error message as shown below:

message = ERROR: ld.so: object 'libnss_wrapper.so' from LD_PRELOAD cannot be preloaded: ignored.

I want Error message with LD_PRELOAD should not come in Alerts.

Can someone guide me what should I change in my alerts

Re: Not include LD_PRELOAD in Error Alerts

richgalloway — Sat, 20 Aug 2022 21:47:03 GMT

Just like you have an exclusion for "INTERNAL_SERVER_ERROR", add a similar exclusion for "LD_PRELOAD".

index=abc ns=blazegateway-c2 CASE(ERROR) NOT "INTERNAL_SERVER_ERROR" NOT "LD_PRELOAD" | rex field=_raw "(?<!LogLevel=)ERROR(?<Error_Message>.*)" | eval _time = strftime(_time,"%Y-%m-%d %H:%M:%S.%3N") | cluster showcount=t t=0.4 | table app_name, Error_Message ,cluster_count,_time, environment, pod_name,ns | dedup Error_Message | rename app_name as APP_NAME, _time as Time, environment as Environment, pod_name as Pod_Name, cluster_count as Count

topic Re: Not include LD_PRELOAD in Error Alerts in Dashboards & Visualizations

How to not include LD_PRELOAD in Error Alerts?

Re: Not include LD_PRELOAD in Error Alerts