I use Graylog to push ANSIBLE logs from a whole fleet of Ubuntu client machines. I collect logs in this format:
“Task: Firefox: Creation of pin for installation package successful .”
or
“Task: ‘Update APT cache’ error on the machine adm0848 in room b10hall”
I would like to keep only the status of each task (Successful or Failed) based on the source (the client machine) and the task name. In other words, if a task fails, I am notified, I correct it, I rerun an ansible-pull, and it becomes successful. In my dashboards, I would like the failed task to disappear because the “task name / source machine” association has become successful.
This would be difficult as Graylog isn’t able to alter logs that have been ingested based on an incoming log. For this to work the initial failed log would need to change to reflect that a subsequent attempt at the job has been successful. There is no pipeline to achieve this.
If each job had a unique ID that could be stored as a field, you could write this to a lookup table with either success or failed. Assuming that failed job is rerun and it maintains the same unique ID, if it was successful it would then be reflected within the lookup table. This would be one way of tracking job status.
I already have a widget that notifies me of tasks in error for each managed workstation. But I would like that if the tasks in error are corrected and the same task on the same PC becomes ‘successful’, then the error message in the widget disappears. Is that possible