Detect running status in a log


#1

Hello everyone,

I have a log with an extractor where I get: name of job, args, and status (start, end) on each line.

I would like to query for a period all jobs where “status is running” (status start and not end), but I don’t know how may I do that (pipeline, extractor, counter ?)

Do you have an idea ?

Thank you


(Jan Doberstein) #2

@Le-DOC

did you extracted (by extractor or pipeline) that information out of your log line? To make such a request you would need that information in a single field to query that.

regards
Jan


#3

Hi Jan,

I extracted data with a regex extractor (never used pipeline right now).
I have 1 field cycle: (Start or End-, one other field with job name, other with args, ect…

Thanks


(Jan Doberstein) #4

@Le-DOC

what fields than did you have in your message? Without knowing that it is hard to give help with a query …


#5

I have:

  • HR_query_CYCLE (Start or End or Anormaly End)
  • HR_query_CDELMT (name of job)
  • HR_query_Demander (Asker)
  • HR_query_CPHAS (arg)
  • HR_query_IDREQ (arg)

(Jan Doberstein) #6

your query should be something like:

HR_query_CYCLE:Start AND NOT (HR_query_CYCLE:End OR HR_query_CYCLE:Anormly End)

The Documentation on how to search might help you: http://docs.graylog.org/en/2.2/pages/queries.html


#7

Suppose I have following log:
01:00 CDELMT = Job1; CYCLE = Start
01:15 CDELMT = Job1; CYCLE = End
01:40 CDELMT = Job1; CYCLE = Start

I run the query at 01:50
The result I want is show only Job1 started at 01:40 because job started at 01:00 ended at 01:15

If I execute your query I will show the start of 01:00 and 01:40 no ?


(Jan Doberstein) #8

you need to choose the search time - look here: http://docs.graylog.org/en/2.2/pages/queries.html#time-frame-selector


#9

Thanks, I know where is the time zone search :slight_smile:
Problem is I need to get 1 result(01:40( and not 2(01:00 and 01:40) with this query


(Jan Doberstein) #10

without a plugin I can’t imagine how to get that currently.


(system) #11

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.