Hello guys,
could you tell me how to only show null cells from this kind of table, for alerting purpose?
Search: index=* host=XXX source=/var/log* | eval ... | timechart span=1d values(source) by host
Thanks.
I would setup alert based on this search
index= host=XXX source=/var/log | eval ... | timechart span=1d values(source) by host
| eval shouldAlert=0 | foreach * [eval shouldAlert=shouldAlert+if(isnull('<<FIELD>>') OR '<<FIELD>>'="",1,0) ]
| where shouldAlert>0
Basically it'll loop through all columns for a row and add 1 to shouldAlert field if there are null value in that rows. Later we only select rows where alert should be raised. You can then setup alert with condition 'if number of events greater than 0'
Just add this to the end:
| eval NULLVALUE="NO"
| foreach * [eval NULLVALUE=if(isnull(<<FIELD>>), "YES", NULLVALUE)]
| search NULLVALUE="YES"
No result... I tried src, host or even source for <>
No, you do not need to change ANYTHING. Type it in EXACTLY as I had it and it will work.
I would setup alert based on this search
index= host=XXX source=/var/log | eval ... | timechart span=1d values(source) by host
| eval shouldAlert=0 | foreach * [eval shouldAlert=shouldAlert+if(isnull('<<FIELD>>') OR '<<FIELD>>'="",1,0) ]
| where shouldAlert>0
Basically it'll loop through all columns for a row and add 1 to shouldAlert field if there are null value in that rows. Later we only select rows where alert should be raised. You can then setup alert with condition 'if number of events greater than 0'
Same, no result... I tried src, host or even source for <>
YOu need to use literally '<>' there. No need to replace it with any field names.
Thanks a lot!
| where isnull(myfieldname)
It doesn't work, I tried values(source) as src then use | where isnull(src) but nothing changed...
| where isnull(values(source)) = 'values' function is unsupported