Detect running status in a log

Hello everyone,

I have a log with an extractor where I get: name of job, args, and status (start, end) on each line.

I would like to query for a period all jobs where “status is running” (status start and not end), but I don’t know how may I do that (pipeline, extractor, counter ?)

Do you have an idea ?

Thank you

@Le-DOC

did you extracted (by extractor or pipeline) that information out of your log line? To make such a request you would need that information in a single field to query that.

regards
Jan

Hi Jan,

I extracted data with a regex extractor (never used pipeline right now).
I have 1 field cycle: (Start or End-, one other field with job name, other with args, ect…

Thanks

@Le-DOC

what fields than did you have in your message? Without knowing that it is hard to give help with a query …

I have:

  • HR_query_CYCLE (Start or End or Anormaly End)
  • HR_query_CDELMT (name of job)
  • HR_query_Demander (Asker)
  • HR_query_CPHAS (arg)
  • HR_query_IDREQ (arg)

your query should be something like:

HR_query_CYCLE:Start AND NOT (HR_query_CYCLE:End OR HR_query_CYCLE:Anormly End)

The Documentation on how to search might help you: http://docs.graylog.org/en/2.2/pages/queries.html

Suppose I have following log:
01:00 CDELMT = Job1; CYCLE = Start
01:15 CDELMT = Job1; CYCLE = End
01:40 CDELMT = Job1; CYCLE = Start

I run the query at 01:50
The result I want is show only Job1 started at 01:40 because job started at 01:00 ended at 01:15

If I execute your query I will show the start of 01:00 and 01:40 no ?

you need to choose the search time - look here: http://docs.graylog.org/en/2.2/pages/queries.html#time-frame-selector

Thanks, I know where is the time zone search :slight_smile:
Problem is I need to get 1 result(01:40( and not 2(01:00 and 01:40) with this query

without a plugin I can’t imagine how to get that currently.

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.