Re: Searching log for number that is = to or > tha...

sunsan · ‎09-27-2013

I have a log file that logs date/time and a file count number. I need to set up an alert that will notify us when this file count is = to or > than a specific number. Any thoughts on how I can do this?

emiller42 · ‎09-27-2013

So the trick is to extract the number as a field first. You can do this inline, but eventually you'll want to set up a field extraction for it.

To do the inline version, you'll want to rex out the field, like so:

sourcetype=mylogs | rex "\d+:\d+:\d+\s(?<fileCount>\d+)$" | where fileCount>=25

Now, if you take that same regex and use it to make a field extraction, then your search would simply be:

sourcetype=mylogs fileCount>=25

Narj · ‎09-27-2013

Have you already extracted the file count number field? It's simple to have a saved search eg:

sourcetype=mylogs file_count >=25

Then edit it to run however often you need and set up an alert to trigger where the number of results are more than zero (eg: email).

sunsan · ‎09-27-2013

Thank you for responding. I don't think I explained very well.

Here is a sample of my log.

09/27/2013 11:16:02 691
09/27/2013 11:17:01 702
09/27/2013 11:18:02 727
09/27/2013 11:19:01 705

I need to be able to query on the number on the far right. (greater than or equal to X)

Searching log for number that is = to or > than

Combine Multiline Logs into a Single Event with SOCK - a Guide for Advanced Users

Everything Community at .conf24!

Index This | I’m short for "configuration file.” What am I?