Solved: Re: find NOCLOSESESSION in logs daily

indeed_2000 · ‎10-13-2021

Hi
I have two field on my logfile <servername> <CLOSESESSION> need to know when CLOSESESSION is 0 each day by servername.
everyday I expect CLOSESESSION appear on my server logs, if one or more server has no CLOSESESSION it means something going wrong.

here is the spl:
index="my_index"
| rex field=source "(?<servername>\w+)."
| rex "CLOSESESSION\:\s+(?<CLOSESESSION>\w+)"

| table _time servername CLOSESESSION

Expected output:

Servername cause

Server10 NOCLOSESESSION

Server15 NOCLOSESESSION

any idea?

Thanks,

indeed_2000 · ‎10-15-2021

after several try find solution

View solution in original post

indeed_2000 · ‎10-15-2021

after several try find solution

somesoni2 · ‎10-13-2021

You would basically need a lookup table file with all your server names (say lookup table file name will be servers.csv with column servername) . Once you've this setup, you can run something like this

index="my_index" | rex field=source "(?<servername>\w+)." | rex "CLOSESESSION\:\s+(?<CLOSESESSION>\w+)" | stats dc(CLOSESESSION) as CLOSESESSIONs by servername | append [| inputlookup servers.csv | table servername | eval CLOSESESSIONs=0] | stats max(CLOSESESSIONs) as CLOSESESSIONs by servername | where CLOSESESSIONs=0

indeed_2000 · ‎10-13-2021

is it possible without csv file?

ITWhisperer · ‎10-13-2021

Would something like this work for you?

index="my_index"
| rex field=source "(?<servername>\w+)."
| rex "CLOSESESSION\:\s+(?<CLOSESESSION>\w+)"
| fillnull value="NOCLOSESESSION" CLOSESESSION
| bin _time span=1d
| stats values(CLOSESESSION) as CLOSESESSION by _time servername
| eval CLOSESESSION=mvjoin(CLOSESESSION,"")
| where CLOSESESSION="NOCLOSESESSION"

indeed_2000 · ‎10-13-2021

not work, here is the log:

23:54:00.957 app server 1 module: CLOSESESSION

23:54:00.958 app server 3 module: CLOSESESSION

23:54:00.959 app server 4 module: CLOSESESSION

Expected output:

Servername cause

Server2 NOCLOSESESSION

ITWhisperer · ‎10-13-2021

If those are your logs, the issue may be with the rex - try something like this

| rex "\:\s+(?<CLOSESESSION>CLOSESESSION)"

indeed_2000 · ‎10-13-2021

still have issue, i think need two search here, first extract all server names from file name that exist in path from metadata for faster result, then in second query check which one has not CLOSESESSION

somthing like this:

1- list of all log files exist (per server)
| metadata type=sources index=my_index | table source

2-filter just lines have CLOSESESSION
index="my_index" | search CLOSESESSION
| rex extracted server names of field "source" from STEP 1
| rex "\:\s+(?<CLOSESESSION>CLOSESESSION)" |
| fillnull value="NOCLOSESESSION" CLOSESESSION
| bin _time span=1d
| stats values(CLOSESESSION) as CLOSESESSION by _time servername
| eval CLOSESESSION=mvjoin(CLOSESESSION,"")
| where CLOSESESSION="NOCLOSESESSION"

here is the logs:

23:54:00.957 app server 1 module: CLOSESESSION

23:54:00.958 app server 3 module: CLOSESESSION

23:54:00.959 app server 4 module: CLOSESESSION

Expected output step 1:

servernames

server 1

server 2

server 3

server 4

Expected output step 2:

Servername cause

Server2 NOCLOSESESSION

somesoni2 · ‎10-13-2021

Try this

index="my_index"
| rex field=source "(?<servername>\w+)."
| rex "CLOSESESSION\:\s+(?<CLOSESESSION>\w+)"
| stats dc(CLOSESESSION) as CLOSESESSIONs by servername
| where CLOSESESSIONs=0

indeed_2000 · ‎10-13-2021

not work, here is the log:

23:54:00.957 app server 1 module: CLOSESESSION

23:54:00.958 app server 3 module: CLOSESESSION

23:54:00.959 app server 4 module: CLOSESESSION

Expected output:

Servername cause

Server2 NOCLOSESESSION

find NOCLOSESESSION in logs daily

field extraction

rex

stats

table

ICYMI - Check out the latest releases of Splunk Edge Processor

Introducing the 2024 SplunkTrust!

Introducing the 2024 Splunk MVPs!