Can anyone please help me in the below search.
I want the name of all logfiles with details of keywords from each sourcetype.
If there is a keyword present in the specific log file then the last time when that keyword was there in the log file.
Log_Name | Updatedago | Login | Logout | Expire
Server.log | Last Login event at "TimeFrame"| Last LogOut event at "TimeFrame"| Last Expire event at "TimeFrame"
Server1.log | Last Login event at "TimeFrame"| Last LogOut event at "TimeFrame"| Last Expire event at "TimeFrame"
The Login , Logout, Expire are the keywords available in _raw field.
The timestamp field specifies the logs are updated how many minutes/hours ago(last updated time of log file)
I am using below search but no results and not sure how to get last updated thing:
index=serverlogs source=server*.log | eval status=if(_raw LIKE "*Login*" ,Login, _raw LIKE "*LogOut*","Logout", _raw LIKE "*Expire*","Expire",0 )
whay don't you tried to use tags?
you should create three different eventypes and associate to each of them a tag:
index=serverlogs source=server*.log loginfor tag=login
index=serverlogs source=server*.log logoutfor tag=logout
index=serverlogs source=server*.log logfailfor tag=logfail
In this way, yoy have the keywords to display:
index=serverlogs source=server*.log | table _time source tag
Using this method I created an entire apps to display login, logout and logfail of many different systems, creating many eventyper (three for each kind of system) associating the related tag.