This approach works but is quite cumbersome as there are a number of different types of errors and if this solution is to be implemented then it require going through each error and developing a regular expression for each. | stats count(LogLevel) as Frequency by Message | eval Message=replace("unable to authenticate user \d ", "unable to authenticate user ") | eval Message=replace("unable to deliver mail to (.)* Unable to reach server", "unable to deliver mail to : Unable to reach server") Currently what I am using is the replace the strings with a common regexp and then find the frequency index="pc_1" LogLevel=ERROR I am looking for a way I can group this based on similarities in strings. Return "physicsjobs" events with a speed is greater than 100.Unable to deliver mail to Unable to reach serverĪs you can notice in the results produced, some similar errors are being split based on difference in ids of users emails, and machine ids. Specify a calculation in the where command expression Return "CheckPoint" events that match the IP or is in the specified subnet. Match IP addresses or a subnet using the where command The where command returns like=TRUE if the ipaddress field starts with the value 198. The percent ( % ) symbol is the wildcard you must use with the like function. You can only specify a wildcard with the where command by using the like function. Specify a wildcard with the where command
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |