I want to check if a process is still running. The process is logging periodically a short info on polling a directory.
Now, I will to use that info to detect if the process is not running anymore.
Normally, a simple search for the info would be:
search myprocess is doing the work
and then defining the alert for eventcount = 0 would do the job. But...
I would like to do it in a generic way, that means, that "is doing the work" is actually unknown. This has to work with every process which is logging something periodically.
Now, I have a defined a search doing a simple event count over time periods (hourly):
source=/logs/processes.log earliest=-3h@h | chart count over process by _time span=1h