How to extract field and check if the value is gre...

sarit_s · ‎03-14-2019

Hello,

I have log that contains this value :

<0> 10/03/19 16:55:00 : Maintenance counter "UV Calibration" Value is: 31 hours.

I need to check if this value is greater than 300 for the last job
so for example if at 10.3.19 16:55:00 it was 300 and than at 10.3.19 16:56:00 it was 1 than it is not interesting me
but if at 10.3.19 16:55:00 it was 300 and than at 10.3.19 16:56:00 it was 301 i want to raise an alert and show it in table

How can i extract this field and calculate this ?

thanks

somesoni2 · ‎03-14-2019

Will there be logs for only one job? Are you always comparing 2 most recent job execution logs or it can be any two consecutive job execution?

sarit_s · ‎03-14-2019

well.. the log file can contain many jobs log, from many times
but i will always compare 2 recent jobs, yes

somesoni2 · ‎03-14-2019

Where are the job names appear in the log? In your sample data, is 31 (which is followed by hours) is the value you want to capture/compare?

sarit_s · ‎03-15-2019

well.. i need to check with our analysts where the job name so i will get back to you but for your second Q, yes, 31 is the value i want to capture

sarit_s · ‎03-17-2019

hi, i checked and the job name is iirelevant but i have sirial number that i can use

nickhills · ‎03-14-2019

You can do a search time extraction like this:

[your search]|rex "Value\sis\:\s(?P<calibration_duration>\d+)\shours"|table _time calibration_hours

Should give you a listing of all the times, and the calibration durations

If I understand the second part, you want to trigger an alert if two consecutive events are >300 ?

If my comment helps, please give it a thumbs up!

sarit_s · ‎03-14-2019

sorry but i probably did not understand it correctly because this rex returns no results
what should be "calibration_duration" and "calibration_hours"?

about the second part, yes

sarit_s · ‎03-17-2019

i tried again your solution
since i have few rows that contains the string "value" im getting result of the first one which is not the correct one
for example:

<0> 25/02/19 18:41:22 : Maintenance counter "Model 2 Left Pump" Value is: 9 hours.
... 48 lines omitted ...
<0> 25/02/19 18:41:22 : Maintenance counter "PM is Due" Value is: 117 hours.
<0> 25/02/19 18:41:22 : Maintenance counter "UV Calibration" Value is: 12 hours.

your solution will return the value '9'

sarit_s · ‎03-18-2019

UV Calibration" Value is: 17 hours. will return this value: calibration_duration=4375
can you please explain to me what is this number?
maybe you can explain to me the meaning of the regex ?
many thanks !

How to extract field and check if the value is greater than 300 for the last job?

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor

Introducing the 2024 SplunkTrust!