Dashboard querying - help needed

[tomslmonitor]

Hi,

Just to preface myself, I'm a beginner user of Regex and have little experience in monitoring software.

I'm currently looking into NLS and I've managed to get everything up and running but I have an issue with querying in the dashboard.

Code: Select all

2015-12-08 10:18:26,971 INFO  [ReturnStrategy.run:67 331 0ae35574b6d1441e91ed505db292664a] ReturnEnd: copy[R13222A0440] borrower[T282] corpId[sdd2fxcswd2313] sessionId[rDLnmMSVZHDxY3KqIcJ4aPmL] clientUuid[0ae35574b6d1441e91ed505db292664a] took[424]

Above is a snippet from my log, using the regex:

/took\[[0-9]{3}\]/

it would find "took[424]". Using the same Regex in the dashboard query panel, I am returned with 0 results although the same snippet is present in the log.

I have however noticed when inspecting the Last Elasticsearch Query that it is escaping my \ automatically, see below for the Last Elasticsearch Query.

Code: Select all

"query": "/took\\[[0-9]{3}\\]/" 

Is there something I should be doing instead or because of how NLS is, I'll have to query it a little differently?

Any help would be great appreciated.

[jolson]

Regular expression can be finnicky in Elasticsearch. I suggest getting familiar with Lucene queries - they're much more thorough, and you should be able to search for anything you'd like using them.

For instance, if you'd like to search for took[100] through took[427], you could do the following:

2015-12-08 11_22_59-Dashboard • Nagios Log Server.png

Ultimately, you'll want that value (took) in its own field. That way instead of messing about with regex/lucene, you could simply query for:

Code: Select all

took:[100 TO 400]

In addition, you could make graphs and panels out of the 'took' field.

I have a few write-ups regarding filter creation if you're interested:
http://support.nagios.com/forum/viewtop ... 37&t=32221
http://support.nagios.com/forum/viewtop ... 68#p134768
http://support.nagios.com/forum/viewtop ... 28#p137728

[tomslmonitor]

Thanks for your reply.

Having values in their own fields looks like something I definitely want and the ability to graph the numbers as well.

I am currently looking at the suggested write-ups on filter creation.

A quick question, if I apply a filter on my log file, will there still be the field 'message' which contains the whole line and have the additional fields that I have created. Or will it have only the fields I have created in the filter?

The reason I am asking, is the log files I will be monitoring don't always have the same output format as it logs various events/activities. Will I have to take into account every possible line output and have empty field values some times or is there a more intuitive way to go about this.

[jolson]

A quick question, if I apply a filter on my log file, will there still be the field 'message' which contains the whole line and have the additional fields that I have created. Or will it have only the fields I have created in the filter?

The grok filter by default will not remove anything from the 'message' field - it will add a new field and populate it appropriately, leaving your original information in-place.

Will I have to take into account every possible line output and have empty field values some times or is there a more intuitive way to go about this.

All of your similar logs should pass through the same grok filter, more or less. If you have different types of logs entering the system, they should enter through different inputs and be run against different filters.

[tomslmonitor]

Thanks very much for your previous replies, they were very informative. Just back at work now from holidays, I have some grok filters working. I do have an additional question, please let me know if I should create another topic.

I am currently setting up alerts and I was wondering if there was a way to set up a filter more efficiently than what I had planned.

So I have a general query which returns a bunch of events which all have different sources (SourceModuleName), I have around 50 log files. The way I thought about implementing this was to filter each log and create a single alert for each source, as you can image this is tedious and hard to update if I needed to in the future.

The alerts I am planning on setting up will be along the lines of 10 events in 10 minutes for a source, is there a more efficient way to set these alerts up?

Thanks!

[jolson]

Thanks very much for your previous replies, they were very informative. Just back at work now from holidays, I have some grok filters working. I do have an additional question, please let me know if I should create another topic.

I'm happy to hear it! I think another topic would be a good thing - it'd help us keep track of what is what.

[tomslmonitor]

All good,

new topic https://support.nagios.com/forum/viewto ... 37&t=36857

Thanks!

[jolson]

Sounds good, I'll close this up. Thanks!