Hi
I have two field on my logfile <servername> <CLOSESESSION> need to know when CLOSESESSION is 0 each day by servername.
everyday I expect CLOSESESSION appear on my server logs, if one or more server has no CLOSESESSION it means something going wrong.
here is the spl:
index="my_index"
| rex field=source "(?<servername>\w+)."
| rex "CLOSESESSION\:\s+(?<CLOSESESSION>\w+)"
| table _time servername CLOSESESSION
Expected output:
Servername cause
Server10 NOCLOSESESSION
Server15 NOCLOSESESSION
any idea?
Thanks,
after several try find solution
| metadata type=hosts index=my_index
| eval count=0
| table host count
| append
[ search index=my_index CLOSESESSION
| stats count by host ]
| stats sum(count) as number by host | where number=0
after several try find solution
| metadata type=hosts index=my_index
| eval count=0
| table host count
| append
[ search index=my_index CLOSESESSION
| stats count by host ]
| stats sum(count) as number by host | where number=0
You would basically need a lookup table file with all your server names (say lookup table file name will be servers.csv with column servername) . Once you've this setup, you can run something like this
index="my_index" | rex field=source "(?<servername>\w+)." | rex "CLOSESESSION\:\s+(?<CLOSESESSION>\w+)" | stats dc(CLOSESESSION) as CLOSESESSIONs by servername | append [| inputlookup servers.csv | table servername | eval CLOSESESSIONs=0] | stats max(CLOSESESSIONs) as CLOSESESSIONs by servername | where CLOSESESSIONs=0
is it possible without csv file?
Would something like this work for you?
index="my_index"
| rex field=source "(?<servername>\w+)."
| rex "CLOSESESSION\:\s+(?<CLOSESESSION>\w+)"
| fillnull value="NOCLOSESESSION" CLOSESESSION
| bin _time span=1d
| stats values(CLOSESESSION) as CLOSESESSION by _time servername
| eval CLOSESESSION=mvjoin(CLOSESESSION,"")
| where CLOSESESSION="NOCLOSESESSION"
not work, here is the log:
23:54:00.957 app server 1 module: CLOSESESSION
23:54:00.958 app server 3 module: CLOSESESSION
23:54:00.959 app server 4 module: CLOSESESSION
Expected output:
Servername cause
Server2 NOCLOSESESSION
If those are your logs, the issue may be with the rex - try something like this
| rex "\:\s+(?<CLOSESESSION>CLOSESESSION)"
still have issue, i think need two search here, first extract all server names from file name that exist in path from metadata for faster result, then in second query check which one has not CLOSESESSION
somthing like this:
1- list of all log files exist (per server)
| metadata type=sources index=my_index | table source
2-filter just lines have CLOSESESSION
index="my_index" | search CLOSESESSION
| rex extracted server names of field "source" from STEP 1
| rex "\:\s+(?<CLOSESESSION>CLOSESESSION)" |
| fillnull value="NOCLOSESESSION" CLOSESESSION
| bin _time span=1d
| stats values(CLOSESESSION) as CLOSESESSION by _time servername
| eval CLOSESESSION=mvjoin(CLOSESESSION,"")
| where CLOSESESSION="NOCLOSESESSION"
here is the logs:
23:54:00.957 app server 1 module: CLOSESESSION
23:54:00.958 app server 3 module: CLOSESESSION
23:54:00.959 app server 4 module: CLOSESESSION
Expected output step 1:
servernames
server 1
server 2
server 3
server 4
Expected output step 2:
Servername cause
Server2 NOCLOSESESSION
Try this
index="my_index"
| rex field=source "(?<servername>\w+)."
| rex "CLOSESESSION\:\s+(?<CLOSESESSION>\w+)"
| stats dc(CLOSESESSION) as CLOSESESSIONs by servername
| where CLOSESESSIONs=0
not work, here is the log:
23:54:00.957 app server 1 module: CLOSESESSION
23:54:00.958 app server 3 module: CLOSESESSION
23:54:00.959 app server 4 module: CLOSESESSION
Expected output:
Servername cause
Server2 NOCLOSESESSION