I want to create an alert for one particular error. So what would be the exact spl i need to write?
Error is not in the intersting field.So i used this one.
I did from my end :
index=os source="/var/log/messages" | eval new_error= "server is not responding"
Is the above search correct? If not then please provide me the correct one.
 
					
				
		
 
		
		
		
		
		
	
			
		
		
			
					
		 
					
				
		
 
		
		
		
		
		
	
			
		
		
			
					
		No, your search is not correct. It fetches all events from the /var/log/messages file and creates a field in each event called "new_error". This probably is not the goal.
To give a working we query we must know the purpose for the alert. What is it looking for?
Perhaps this will get you started.
index=os source="/var/log/messages" "server is not responding"@richgalloway yes i tried this also, its working. Beacuse server is generating this error after every 2 or 3 days not sure. So if you suggest, can i set this simple one query into the final alert ?
 
					
				
		
 
		
		
		
		
		
	
			
		
		
			
					
		the SPL you mentioned won't work. Assuming "new_error" field is not available
index=os  source="/var/log/messages" | eval new_error= if(like(_raw,"%server is not responding%"), "Yes", "No") | where new_error="Yes"
you can also use search in place of where command.
Hope this helps.
@anilchaithu The mentioned SPL is not working.
The logic should work. Do you have events in the data with this error? If yes, the text "server is not responding" in the eval command of the logic should match as is to the event.
@anilchaithu Yes i have the event which occured 4 days ago for that error. When i run a simple search as @richgalloway suggest it capture that event. But when i used to create a field for that error as you also suggest, it is not capturing any event.
@anilchaithu Yes this approach is also seems correct. I will try this one and let you know.
