Databases Reference
In-Depth Information
Saving searches for reuse
Let's build a query, save it, and make an alert out of it.
First, let's find errors that affect
mary
, one of our most important users. This can
simply be the query
mary error
. Looking at some sample log messages that match
this query, we see that some of these events probably don't matter (the dates have
been removed to shorten the lines).
ERROR LogoutClass error, ERROR, Error! [user=mary, ip=3.2.4.5]
WARN AuthClass error, ERROR, Error! [user=mary, ip=1.2.3.3]
ERROR BarCLass Hello world. [user=mary, ip=4.3.2.1]
WARN LogoutClass error, ERROR, Error! [user=mary, ip=1.2.3.4]
DEBUG FooClass error, ERROR, Error! [user=mary, ip=3.2.4.5]
ERROR AuthClass Nothing happened. This is worthless. Don't log this.
[user=mary, ip=1.2.3.3]
We can probably skip the
DEBUG
messages; the
LogoutClass
messages look
harmless; and the last message actually
says
that it's worthless.
mary error NOT debug NOT worthless NOT logoutclass
limits the results to:
WARN AuthClass error, ERROR, Error! [user=mary, ip=1.2.3.3]
ERROR BarCLass Hello world. [user=mary, ip=4.3.2.1]
For good measure, let's add the
sourcetype
field and some parentheses.
sourcetype="impl_splunk_gen" (mary AND error) NOT debug NOT worthless
NOT logoutclass
Another way of writing the same thing is as follows:
sourcetype="impl_splunk_gen" mary error NOT (debug OR worthless OR
logoutclass)
So that we don't have to type our query every time, we can save this search for
quick retrieval.
Search WWH ::
Custom Search