I have the sample data which has all the fields like below
[11/07/2018 09:59:00] CAUAJM_I_40245 EVENT: ALARM ALARM: JOBFAILURE JOB: HYGIEIA_EC2_LOAD_ROOT **MACHINE: hexx.com** EXITCODE: 110
The below is the event with machine field missing
[11/07/2018 09:17:13] CAUAJM_I_40245 EVENT: ALARM ALARM: JOBFAILURE JOB: FADB_OUT_CROSSINVEST_PFX_BOX EXITCODE: 9
Below is the search I am using
index=abc |rex field=_raw "MACHINE\:\s(?[^ ]+).*"
| eval time=strftime(_time,"%Y/%m/%d %H:%M:%S")
| eval node=host
| eval resource="Auto"
| eval type="Alarm"
| eval severity=1
| eval Machine_Name=case(isnull(Machine_Name),"NONE",isnotnull(Machine_Name),Machine_Name,1=1,"unknown")
| eval description="CAUAJM:" .CAUAJM ." STATUS:" . STAT . " JOB:" . JOB_Name . " MACHINE:" .Machine_Name. " with ExitCode:" .EXITCODE. " at:" . time . " Environment:AWP"
| table node resource type severity CAUAJM job_event JOB_Name Machine_Name time description
The description part shows blank for the second event as there is no machine in it. How can I populate that so that the description part is not empty? I have attached a screen shot for better understanding
Thanks,
Hi,
I think we can use an if
to fill your description
field like that :
index=abc
|rex field=_raw "MACHINE\:\s(?[^ ]+).*"
| eval time = strftime(_time,"%Y/%m/%d %H:%M:%S") ,
node = host ,
resource = "Auto" ,
type = "Alarm" ,
severity = 1,
Machine_Name = case(isnull(Machine_Name),"NONE",isnotnull(Machine_Name),Machine_Name,1=1,"unknown"),
description = if(isnull(Machine_Name),"Write your comment here","CAUAJM:" .CAUAJM ." STATUS:" . STAT . " JOB:" . JOB_Name . " MACHINE:" .Machine_Name. " with ExitCode:" .EXITCODE. " at:" . time . " Environment:AWP" )
| table node resource type severity CAUAJM job_event JOB_Name Machine_Name time description
I think that should do the trick 🙂
Let me know
KailA
Hello Kaila,
Thank you for your comment.I tried your search but the description just had the machine name that I gave.
Below is how the description looks for other events
CAUAJM:CAUAJM_I_40245 STATUS:JOBFAILURE JOB:GPW_AFF_PFX_DL MACHINE:GPWSYS.com with ExitCode:1 at:2018/11/08 08:04:05 Environment:AWP
but the one which I tried using yiur query just gives me the machine name but not the entire description
Thats strange, I've just copy/paste you eval
for description and add an if()
in it.
But I think I understand what you wanted to do now, try that :
index=abc
|rex field=_raw "MACHINE\:\s(?[^ ]+).*"
| eval time = strftime(_time,"%Y/%m/%d %H:%M:%S") ,
node = host ,
resource = "Auto" ,
type = "Alarm" ,
severity = 1,
Machine_Name = case(isnull(Machine_Name),"NONE",isnotnull(Machine_Name),Machine_Name,1=1,"unknown"),
description = if(isnull(Machine_Name),"CAUAJM:" .CAUAJM ." STATUS:" . STAT . " JOB:" . JOB_Name . " MACHINE:No Machine" . " with ExitCode:" .EXITCODE. " at:" . time . " Environment:AWP","CAUAJM:" .CAUAJM ." STATUS:" . STAT . " JOB:" . JOB_Name . " MACHINE:" .Machine_Name. " with ExitCode:" .EXITCODE. " at:" . time . " Environment:AWP" )
| table node resource type severity CAUAJM job_event JOB_Name Machine_Name time description
Let me explain : if your Machine_name
field is null, it will return the descrption with MACHINE:No Machine
(put whatever you want here), if not, it should return the full description.
If it is null then the description should be like below
CAUAJM:CAUAJM_I_40245 STATUS:JOBFAILURE JOB:GPW_AFF_PFX_DL MACHINE:no_machine with ExitCode:1 at:2018/11/08 08:04:05 Environment:AWP
Ok but with the snippet of code I give it didn't return you
CAUAJM:CAUAJM_I_40245 STATUS:JOBFAILURE JOB:GPW_AFF_PFX_DL MACHINE:No Machine
with ExitCode:1 at:2018/11/08 08:04:05 Environment:AWP
??
nope it did not return
Ohhhhhh wait i'm so sorry, didn't saw that you forgot to give a name to your field in rex
I think that should work
index=abc
|rex field=_raw "MACHINE\:\s(?<Machine_Name>[^ ]+).*"
| eval time = strftime(_time,"%Y/%m/%d %H:%M:%S") ,
node = host ,
resource = "Auto" ,
type = "Alarm" ,
severity = 1,
Machine_Name = if(isnull(Machinecase),"no_machine",Machine_Name),
description = "CAUAJM:" .CAUAJM ." STATUS:" . STAT . " JOB:" . JOB_Name . " MACHINE:" .Machine_Name. " with ExitCode:" .EXITCODE. " at:" . time . " Environment:AWP" )
| table node resource type severity CAUAJM job_event JOB_Name Machine_Name time description
Hope it will work now...
KailA