I want to create an alert for one particular error. So what would be the exact spl i need to write?
Error is not in the intersting field.So i used this one.
I did from my end :
index=os source="/var/log/messages" | eval new_error= "server is not responding"
Is the above search correct? If not then please provide me the correct one.
No, your search is not correct. It fetches all events from the /var/log/messages file and creates a field in each event called "new_error". This probably is not the goal.
To give a working we query we must know the purpose for the alert. What is it looking for?
Perhaps this will get you started.
index=os source="/var/log/messages" "server is not responding"
the SPL you mentioned won't work. Assuming "new_error" field is not available
index=os source="/var/log/messages" | eval new_error= if(like(_raw,"%server is not responding%"), "Yes", "No") | where new_error="Yes"
you can also use search in place of where command.
Hope this helps.