Re: How to find all events not having a prior even...

rune_hellem · ‎09-08-2020

Today we had an issue in our production environment - a cluster did restart without a preceding command to restart. Now I want to search our logs to see if this has happened before without us realizing it. I have tried using the transaction command, but I am not sure if it will fix the for me.

We are running WebSpere and whenever a JVM is being started it will log an event like this

[9/8/20 8:54:10:653 CEST] 00000001 WsServerImpl  A   WSVR0001I: Server MinSideMember02 open for e-business

If the restart was initiated by an administrator via the console or as a scheduled restart via a script, the following event will be logged

[9/8/20 8:47:57:429 CEST] 000003b8 AdminHelper   A   ADMN1020I: An attempt is made to stop the MinSideMember02 server. (User ID = defaultWIMFileBasedRealm/wasadmin)

This is what I have tried (ref this answer)

index=production (e-business OR ADMN1020I) sourcetype="websphere:system:out" | transaction startswith="ADMN1020I" endswith="e-business" maxspan=15m |search eventcount=1

But - no - it does find all "stop then started", but no the two "started without stopped"-events.

richgalloway · ‎09-08-2020

Add the keeporphans=true option to the transaction command.

---
If this reply helps you, Karma would be appreciated.

rune_hellem · ‎09-09-2020

Did try

index=production (ADMN1020I OR e-business) sourcetype="websphere:system:out" | transaction startswith="ADMN1020I" endswith="e-business" maxspan=15m keeporphans=true

but it does not capture te e-business without ADM10201-message

How to find all events not having a prior event

index

Announcing Scheduled Export GA for Dashboard Studio

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!