Hi,
Currently I am going through a logfile, grouping by source and displaying the errors for that source. It basically looks like this:
logs\error.log | 123 ERROR: something went wrong
| 124 ERROR: 2309453250 )#UT%R)%)# invalid text
logs\info.log | 567 blah was restarted
What I would like it to look like, is
logs\error.log | 123 ERROR: something went wrong
|
| 124 ERROR: 2309453250 )#UT%R)%)# invalid text
| (this blank line can be here or not, doesn't matter too much)
logs\info.log | 567 blah was restarted
The reason for this is the table becomes massive and it's really hard to distinguish the different errors, as this search is emailed out and also a PDF report is generated.
I'm probably going the complete wrong way about this, and I'm guessing the join is because I'm doing list(). I've read a few things about using appendpipe, should I be doing something like that with each result or maybe a subsearch on _raw which returns each line plus a blank result? Each error is a single event, so ideally, I'd grab every error, with a "blank" error and just throw them all in a list.
Here is my query if it helps:
index=myindex ERROR tag::host="myhost"
| stats list(_raw) by source tag::host host
| rename tag::host as tag
| eval Hostname=tag + " (" + host + ")"
| rename list(_raw) as Errors
| rename source as Source
| dedup Source
| eval UtcTime=strftime(now(),"%d/%m/%Y %H:%M UTC")
If anyone could help me out or at least point me in the right direction, that would be great.
... View more