Hi Experts,
i'm getting the below output in my search (index=LB example.domain.com* "monitor status *")
May 4 20:16:05 netloadBalance_1a notice mcpd[7457]: 01070727:5: Pool /Common/example.domain.com member /Common/192.168.2.24:443 monitor status up. [ /Common/tcp_443: up ] [ was up for 55hrs:23mins:26sec ]
i would like to get the output like
example.domain.com 192.168.2.24:443 monitor status up
please advise
This should do the trick.
index=LB example.domain.com* "monitor status *" | rex "\/Common\/(?P<domain>[^ ]+).*\/(?P<status>[\d\.:]+ monitor status \w+\.)" | table domain status
Replace "<"
and ">"
with "<" and ">", respectively.
This should do the trick.
index=LB example.domain.com* "monitor status *" | rex "\/Common\/(?P<domain>[^ ]+).*\/(?P<status>[\d\.:]+ monitor status \w+\.)" | table domain status
Replace "<"
and ">"
with "<" and ">", respectively.
Thank you Richgalloway,
im getting the second output... 192.168.2.24:443 monitor status up
need to get the first output also which is the url name, like....
example.domain.com 192.168.2.24:443 monitor status up
I've updated my answer. You may need to adjust the regex depending on if "/Common/" is a fixed string or not.
Thank you ....
Yes... It is working fine
can we concatenate that domain & status together?
Certainly. Just use an eval like this eval foo=domain+" "+status
Sorry Richgalloway...
where do i need to insert this command... i'm poor in quries...
Put it before the table command then change the table command to table foo
.
you are awesome...
thanks a lot.. its working perfectly 🙂
Hi Richgalloway
Sorry....
what we need to do to display like a below sentence...
example.domain.com monitor status changed to up/down on node 192.168.2.24:443
You have most of what you need already. All you have to do is tweak the regex string and the eval:
index=LB example.domain.com* "monitor status *" | rex "\/Common\/(?P<domain>[^ ]+).*\/(?P<node>[\d\.:]+) monitor status (?P<status>\w+\.)" | eval sentence=domain+" monitor status changed to "+status+" on node "+node | table sentence
Thanks a lot ....:-)
Hi Richgalloway,
example.domain.com monitor status changed to down on node 192.168.2.24:443 2015-05-14 02:26:18
example.domain.com monitor status changed to down on node 192.168.2.24:443 2015-05-14 02:26:18
example.domain.com monitor status changed to down on node 192.168.2.24:443 2015-05-14 02:26:22
example.domain.com monitor status changed to up on node 192.168.2.24:443 2015-05-14 02:26:22
example.domain.com monitor status changed to up on node 192.168.2.24:443 2015-05-14 02:26:22
example.domain.com monitor status changed to up on node 192.168.2.24:443 2015-05-14 02:26:26
shall i get a single entry for down and up in a single search.... if the domain name and IP address is same...
That's easily done using the dedup
command.
index=LB example.domain.com* "monitor status *" | rex "\/Common\/(?P<domain>[^ ]+).*\/(?P<node>[\d\.:]+) monitor status (?P<status>\w+\.)" | dedup domain node | eval sentence=domain+" monitor status changed to "+status+" on node "+node | table sentence
Thank you:-)
but it is displaying only UP not down...
It is displaying the most recent status. To show the most recent down and up states, change the dedup command to dedup domain node status
.
Great! Please accept the answer.