Nagios Support Forum

Support for Nagios products and services
https://support.nagios.com/forum/

Nagios Logserver integration : problem with filters

https://support.nagios.com/forum/viewtopic.php?t=36728

Page 1 of 1

Nagios Logserver integration : problem with filters

Posted: Mon Jan 25, 2016 8:53 am
by Johan159
I have used the NagiosXI's wizard for Nagios Logserver to configure on Nagios XI an alert that I defined a while ago on Nagios LS.

Right now, the alert on Nagios LS is green (no match).

the query string on Nagios LS is :

Code: Select all

+SourceModuleName:HL7Processor +ERROR
Which means give me the records containing "ERROR" AND that are from the source "HL7Processor".

The wizard on Nagios XI generated this command :

Code: Select all

check_nagioslogserver.php --url='http://vipnagioslog/nagioslogserver/' --apikey='20f34782f619f1620246f87911573e9f77d26b78' --minutes='10' --warn='1' --crit='5' --query='{"query":{"filtered":{"query":{"bool":{"should":[{"query_string":{"query":"+SourceModuleName:HL7Processor +ERROR"}}]}},"filter":{"bool":{"must":[{"range":{"@timestamp":{"from":1430922548745,"to":1431008948746}}}]}}}}}'
The problem is that when this command check is fired, the "AND" logic seems to becom an "OR" logic.

It indeeds find about 1300 matching records, while it should report 0.

And if I launch the command with only "+SourceModuleName:HL7Processor" and then only "+ERROR", I respectively get about 1000 and 300 matching records.

So, the bottom line is that the "AND" logic is replaced by "OR" when using that command. Is there any kind of syntax I should use to correct that?

Re: Nagios Logserver integration : problem with filters

Posted: Mon Jan 25, 2016 5:43 pm
by jolson
Try formatting your Lucene syntax in the following way:

Code: Select all

SourceModuleName:HL7Processor AND ERROR
You might add the '+' characters if they are indeed part of the string. The above worked for me on Nagios Log Server version 1.4.0 - let me know if it works for you. Thanks!

Re: Nagios Logserver integration : problem with filters

Posted: Mon Jan 25, 2016 5:43 pm
by tmcdonald
Lemme clean this up a bit:

Code: Select all

check_nagioslogserver.php --url='http://vipnagioslog/nagioslogserver/' --apikey='20f34782f619f1620246f87911573e9f77d26b78' --minutes='10' --warn='1' --crit='5' --query='
{
  "query":{
    "filtered":{
      "query":{
        "bool":{
          "should":[
            {
              "query_string":{
                "query":"+SourceModuleName:HL7Processor +ERROR"
              }
            }
          ]
        }
      },
      "filter":{
        "bool":{
          "must":[
            {
              "range":{
                "@timestamp":{
                  "from":1430922548745,
                  "to":1431008948746
                }
              }
            }
          ]
        }
      }
    }
  }
}'
If you change the "should" to a "must" does that work? Or are you saying that the OR is taking place like "SourceModuleName:HL7Processor" OR "ERROR"? If that's the case, try keeping it as "should" and change the query to "SourceModuleName:HL7Processor" AND "ERROR".

Edit: Bah, Jesse beat me to it :)

Re: Nagios Logserver integration : problem with filters

Posted: Tue Jan 26, 2016 6:05 am
by Johan159
Indeed, jolson's formatting solved my issue.

Thanks a lot for your help! You can mark this thread as solved ;)

Re: Nagios Logserver integration : problem with filters

Posted: Tue Jan 26, 2016 12:34 pm
by bwallace
Glad we were able to help. We'll lock this thread now and feel free to open another should you require assistance with anything else.
All times are UTC-05:00
Page 1 of 1

Powered by phpBB® Forum Software © phpBB Limited