Hello LOG support
Please help with this alert query, triggering when one 1 and not all conditions present:
{"query":{"filtered":{"query":{"bool":{"should":[{"query_string":{"query":"ERROR"}},{"query_string":{"query":"*10.102.36.61"}},{"query_string":{"query":"*10.102.2.13"}}]}},"filter":{"bool":{"must":[{"range":{"@timestamp":{"from":1466617468942,"to":1466703868942}}},{"fquery":{"query":{"query_string":{"query":"program:(\"INT-KARAF-PROD\")"}},"_cache":true}}]}}}}}
- seems to trigger based of *10.102.36.61 IP and not IP + LOG tagging + "ERROR" present in the log file
Trouble with alert queries triggering whenshould not
Re: Trouble with alert queries triggering whenshould not
Do you have multiple queries setup, or is it 3 separate filters? Can you post a screenshot of the complete query for us to look at on your Dashboard page?
Former Nagios Employee
Re: Trouble with alert queries triggering whenshould not
Picture attachedrkennedy wrote:Do you have multiple queries setup, or is it 3 separate filters? Can you post a screenshot of the complete query for us to look at on your Dashboard page?
I started to realize that there could be only 1 filter (adding more simply adds selections from database)
- so this picture attached is one of the few left /re-configuring rest with 1 or more queries, but only 1 filter (otherwise it includes more data instead of fine-filtering)
Please provide your opinion (I attended LOG training and was told to use LOG way I did until realizing it does not work this way)
You do not have the required permissions to view the files attached to this post.
Re: Trouble with alert queries triggering whenshould not
You should use as many filters as possible, and then query for what you're looking for. I am a little confused by what is the actual problem here.
What exactly is not working? Can we see a screenshot of what the log message looks like and all of the fields expanded in the interface?
What exactly is not working? Can we see a screenshot of what the log message looks like and all of the fields expanded in the interface?
Former Nagios Employee.
me.
me.
Re: Trouble with alert queries triggering whenshould not
hsmith wrote:You should use as many filters as possible, and then query for what you're looking for. I am a little confused by what is the actual problem here.
What exactly is not working? Can we see a screenshot of what the log message looks like and all of the fields expanded in the interface?
We need cumulative query, while the top part "QUERY" is not, picking any one of many searches entered (queries "this" or "that" or "the other one" but not 3 of them together)
What is the correct formula of using Query + Filtering so that we get cumulative query indeed looking into say specific error from group of hosts or sources?
Re: Trouble with alert queries triggering whenshould not
Okay, to rephrase this, because I'm still having a little trouble following.
You have a query, with 4 different things showing on it, and an alert depending on that query. When the query gets ANY result, not just all 4, you're getting an alert. You want alerts ONLY when all 4 results show up?
You have a query, with 4 different things showing on it, and an alert depending on that query. When the query gets ANY result, not just all 4, you're getting an alert. You want alerts ONLY when all 4 results show up?
Former Nagios Employee.
me.
me.
Re: Trouble with alert queries triggering whenshould not
hsmith wrote:Okay, to rephrase this, because I'm still having a little trouble following.
You have a query, with 4 different things showing on it, and an alert depending on that query. When the query gets ANY result, not just all 4, you're getting an alert. You want alerts ONLY when all 4 results show up?
Yes thank you (trying to understand how to achieve that)
Re: Trouble with alert queries triggering whenshould not
At this time it isn't going to be possible to define conditional statements to all 4 of the match records. For this, I've filed a feature request, ID #8973. This would allow you to define multiple queries, and add conditional statements to match in each of them before sending a notification.
One work around that could work for this, if all of the messages do appear together is to set your thresholds to 4, so that the alert will only trigger when 4 of these events have occurred. Your 'either' filters should still catch all of the messages together so that will work out.
One work around that could work for this, if all of the messages do appear together is to set your thresholds to 4, so that the alert will only trigger when 4 of these events have occurred. Your 'either' filters should still catch all of the messages together so that will work out.
Former Nagios Employee
Re: Trouble with alert queries triggering whenshould not
Thank yourkennedy wrote:At this time it isn't going to be possible to define conditional statements to all 4 of the match records. For this, I've filed a feature request, ID #8973. This would allow you to define multiple queries, and add conditional statements to match in each of them before sending a notification.
One work around that could work for this, if all of the messages do appear together is to set your thresholds to 4, so that the alert will only trigger when 4 of these events have occurred. Your 'either' filters should still catch all of the messages together so that will work out.
I used file_tagging and multiplied dashboards (which works for our needs so far)
Going to wait for that feature to get implemented
Please close the case