Re: How to find errors reported in the data.num_of...

cdhippen · ‎07-11-2019

We've got some event collectors going down occasionally, and I've seen that their downtime appears to be tied very closely with high counts of data.num_of_parser_errors in introspection, but I'm having trouble finding these parser errors. I looked up index=_internal DateParserVerbose but I'm only seeing warnings in the time periods when these errors were reported and none of them are unhandled from what I can tell.

woodcock · ‎07-13-2019

I would open a support case. Don't expect a good answer quickly because support is swamped.

woodcock · ‎07-11-2019

Why does this not work?

 index=_introspection AND data.num_of_parser_errors=* AND (ERR* OR FAIL* OR CANNOT OR TIMEOUT OR CRASH* OR WARN* OR UNABLE)

cdhippen · ‎07-12-2019

I'm interested in knowing what the errors are rather than their minute to minute count, because we need to narrow down what keeps causing the EC's to crash, and we need some sort of error event or something to start off investigation.

cdhippen · ‎07-12-2019

This search doesn't find anything for the record. I added "NOT "INFO"" to the end of the search as well.

How to find errors reported in the data.num_of_parser_errors field from index=_introspection?

Using Machine Learning for Hunting Security Threats

Observability Newsletter Highlights | March 2023

Security Newsletter Updates | March 2023