In my base search I calculate the code and group events which occur within some milliseconds. They will get the same ID. The next step is to look after events that have the same code and got wrong IDs in the first step, because they occur within some seconds, they should also get the same ID. I implement such a search for one code in that way:
first step, my base search:
host=Host_MA SEVERITY != FATAL | eval Zusatz=case(match(_raw,"VOLTAGE"),"VOLT", match(_raw,"TEMPERATURE"),"TEMP", match(_raw,"CURRENT"),"CURR", match(_raw,"power module fault"),"POMF") | eval Zusatz=if(Zusatz!="",Zusatz,"NULL") | eval Code=MSG_ID + ";" + Subcomponent + ";" + SEVERITY + ";" + Zusatz| delta _time p=1 AS diff | eval diff=round(-diff,3) | streamstats current=f window=1 first(Code) as prevcode | eval ID=case(isnull(diff),1,diff>0.003,1,1=1,0) | accum ID |
second step, several search with one code:
search Code="KERN_2205;bg_subcomp_linux;WARN;NULL" | delta _time p=1 AS diff2 | eval diff2=round(-diff2,3) | eval ID2=case(isnull(diff2),1,diff2>1.0,1,1=1,0) | accum ID2 | eventstats first(ID) as temp_id1 by ID2 | fields - ID, ID2, diff2| rename temp_id1 as ID
After that search I only get events with Code="KERN_2205;bg_subcomp_linux;WARN;NULL" but I look for a way to add the results of the next search with code="..." but there are over 250 different codes, perhaps there is an easier way?
... View more