I guys.
Recently i came in trouble to resolve the "puzzle" described in Title...
What we need
1) Trigger the "Job_Start", always
2) Monitor its processation
Variables
1) "Job_Start" is dynamic, i can have it at 01:00 so at 04:30, 15:00 or 17:15 (and so on....h24): so "Job_Start" is the beginning point!!!
2) "Job_End" is the great variable: it could exists, as NOT AT ALL, and the focal point is to check if IT EXISTS in a range time of max 2h from "Job_Start"
What i originally did,
tag=mytag host=server earliest=-3h
|transaction maxspan=120m maxevents=-1 startswith="Job_Start" endswith="Job_End" host,source
|[...........do all if statements by "duration" field]
... ok, but what if Job never ends???
tag=mytag host=server earliest=-3h
|transaction maxspan=120m maxevents=-1 startswith="Job_Start" host,source
|eval CHECK_END=if(match(_raw,"Job_End"),_time,"X")
|[...........do all if statements by "duration" field plus "CHECK_END" variable]
... ok, this is a good compromise to work...
Now, what i really scheduled (every 15 minutes), after thinking of possible missing timings or other things...
tag=mytag host=server earliest=-3h|sort + _time|eventstats first(_time) as tSTART last(_time) as tEND|eval RANGE=round((tEND-tSTART)/60)
|eval CHECK_START=if(match(_raw,"Job_Start"),_time,"X")
|eval CHECK_END=if(match(_raw,"Job_End"),_time,"X")
|stats min(CHECK_START) as START min(CHECK_END) as END last(RANGE) as RANGE
|where START!="X"
|eval DUR=round((END-START)/60)|eval PASS=round((now()-START)/60)
|eval msg=if( (START="X") AND (END="X"),"NO Job_Start last "+RANGE,msg)|eval nota="already skipped with where above!"
|eval msg=if( (START!="X") AND (END="X") AND (PASS>120),"Job_Start no Job_End after "+PASS,msg)
|eval msg=if( (START!="X") AND (END!="X") AND (PASS>120),"Job_Start with Job_End after "+DUR,msg)
|eval host="server"| eval source="mylog"
|eval displaythis="LOG:"+source+"__"+msg+"__[test]" | eval TimeStamp=strftime(now(),"%Y%m%d.%H%M%S") | table TimeStamp host displaythis
... the schedule is running... still have to test its real effects...
Now, some advice or help about what did above, and WHAT COULD BE DONE BETTER AND MORE EFFICIENTLY ?
... View more