I have solved this using the eventstats command, example below:
index="{INDEX}" host={HOST} |
transaction startswith="{STARTSWITH}" endswith="{ENDSWITH}" |
eval StartTime=_time |
eventstats max(StartTime) as max |
where max=StartTime
This will select the latest event only.
I have solved this using the eventstats command, example below:
index="{INDEX}" host={HOST} |
transaction startswith="{STARTSWITH}" endswith="{ENDSWITH}" |
eval StartTime=_time |
eventstats max(StartTime) as max |
where max=StartTime
This will select the latest event only.
Try this:
index=foo sourcetype=bar "the run has been completed successfully" | timechart span=1d count | where count=0
That should give you days without a successful run.
Hi Martin, thats not particularly what we're looking for, we are using rangemaps to display traffic lights of the current status, and if it's warning but is succeeding after retry it should go amber, if its failing altogether, red, and if successful then green.
What does a failure look like in the logs? What does a successful run look like?
Hey Martin,
it will be {Timestamp}: Error - {Error type}
success will be something like The run has been completed successfully.