Nagios Support Forum

Support for Nagios products and services
https://support.nagios.com/forum/

Can multiple input lines be turned into one message?

https://support.nagios.com/forum/viewtopic.php?t=47014

Page 1 of 1

Can multiple input lines be turned into one message?

Posted: Thu Jan 11, 2018 12:16 pm
by GhostRider2110
Currently using NLS 1.4.4 (yes, I know I should upgrade)

I have a log coming in from an application. I'll include a sample of the log and what I am looking for. I want to create an alert based on several items and be able to include some of them in the email alert. Problem is, they come into the system one line at a time. Is there a way I can capture these and have them be included into one line to parse and pull needed info from?

Log entry:
2018-01-08 17:00:54,971 __main__ DEBUG: received request - request metadata is: {'sentTime': '2018-01-08T16:00:54', 'replyTo': None, 'memo': None, 'md5sum': 'afd045c391fd14c2a814c772588cbb0d', 'senderId': '30587',
'messageType': None, 'messageId': '24c02482-d604-46bf-95ff-b7d41ae572fd', 'correlationId': None}
2018-01-08 17:00:54,971 __main__ DEBUG: request body: <lm_integration><path>h:\viewfn\18NOTES\HB\HB1160.001</path><type>FN</type><use_oracle>True</use_oracle><dictionary>{AssocBill:IN1160.1}</dictionary></lm_integr
ation>
2018-01-08 17:00:54,971 __main__ DEBUG: job type: FN
2018-01-08 17:00:54,972 __main__ DEBUG: AssocBill:IN1160.1
2018-01-08 17:00:54,972 __main__ DEBUG: ['AssocBill:IN1160.1']
2018-01-08 17:00:54,972 __main__ DEBUG: {'AssocBill': 'IN1160.1'}
2018-01-08 17:00:54,972 __main__ DEBUG: filename: HB1160.001
2018-01-08 17:00:54,972 __main__ DEBUG: parent_directory: HB
2018-01-08 17:00:54,972 __main__ DEBUG: document prefix: HB, document number: 1160.001
2018-01-08 17:00:54,972 __main__ DEBUG: FN
2018-01-08 17:00:54,972 __main__ DEBUG: /mnt/VIEWFN/18NOTES/HB/HB1160.001
2018-01-08 17:00:54,972 __main__ DEBUG: http://igarh7tstwebapp/lm/lm/upload_fn/
2018-01-08 17:00:56,435 __main__ ERROR: ---TRACEBACK RETURNED FROM SERVER---:
Traceback (most recent call last):
File "/opt/lrms/envs/in1_lm_webapp/lib/python2.7/site-packages/lm_webapp/lm_webapp/lm/views.py", line 494, in upload_fn
bill = Bill.objects.get(legacyid=bill_version)
File "/opt/lrms/envs/in1_lm_webapp/lib/python2.7/site-packages/joplin/models/manager.py", line 81, in get
kwargs.pop("revno", DEFAULT_REVNO)).get(*args, **kwargs)
File "/opt/lrms/envs/in1_lm_webapp/lib/python2.7/site-packages/joplin/models/query.py", line 342, in get
% str(queryset.query))
DoesNotExist: No assets matched query: (AND: ('apn__isnull', 'False'), ('legacyid__exact', "u'IN1160.1'"))

2018-01-08 17:00:56,435 __main__ ERROR: <Response [500]>
2018-01-08 17:00:56,435 __main__ INFO: waiting for requests on queue 'lm_integration'
2018-01-09 16:13:57,958 __main__ DEBUG: received request - request metadata is: {'sentTime': '2018-01-09T15:13:57', 'replyTo': None, 'memo': None, 'md5sum': '3360919b5e19369511b61195810a8055', 'senderId': '11443',
'messageType': None, 'messageId': 'a7a62d4c-3236-41a0-a0a1-53281add04c6', 'correlationId': None}
2018-01-09 16:13:57,959 __main__ DEBUG: request body: <lm_integration><path>H:\VIEWFN\18NOTES\HB\HB1015.002</path><type>FN</type><use_oracle>True</use_oracle><dictionary>{AssocBill:IN1015.2}</dictionary></lm_integr
ation>
2018-01-09 16:13:57,959 __main__ DEBUG: job type: FN
2018-01-09 16:13:57,959 __main__ DEBUG: AssocBill:IN1015.2
2018-01-09 16:13:57,959 __main__ DEBUG: ['AssocBill:IN1015.2']
2018-01-09 16:13:57,959 __main__ DEBUG: {'AssocBill': 'IN1015.2'}
2018-01-09 16:13:57,959 __main__ DEBUG: filename: HB1015.002
2018-01-09 16:13:57,959 __main__ DEBUG: parent_directory: HB
2018-01-09 16:13:57,960 __main__ DEBUG: document prefix: HB, document number: 1015.002
2018-01-09 16:13:57,960 __main__ DEBUG: FN
2018-01-09 16:13:57,960 __main__ DEBUG: /mnt/VIEWFN/18NOTES/HB/HB1015.002
2018-01-09 16:13:57,960 __main__ DEBUG: http://igarh7tstwebapp/lm/lm/upload_fn/
2018-01-09 16:13:59,392 __main__ ERROR: ---TRACEBACK RETURNED FROM SERVER---:
Traceback (most recent call last):
File "/opt/lrms/envs/in1_lm_webapp/lib/python2.7/site-packages/lm_webapp/lm_webapp/lm/views.py", line 494, in upload_fn
bill = Bill.objects.get(legacyid=bill_version)
File "/opt/lrms/envs/in1_lm_webapp/lib/python2.7/site-packages/joplin/models/manager.py", line 81, in get
kwargs.pop("revno", DEFAULT_REVNO)).get(*args, **kwargs)
File "/opt/lrms/envs/in1_lm_webapp/lib/python2.7/site-packages/joplin/models/query.py", line 342, in get
% str(queryset.query))
DoesNotExist: No assets matched query: (AND: ('apn__isnull', 'False'), ('legacyid__exact', "u'IN1015.2'"))

2018-01-09 16:13:59,392 __main__ ERROR: <Response [500]>
2018-01-09 16:13:59,392 __main__ INFO: waiting for requests on queue 'lm_integration'
If the "DoesNotExist: No assets match query " and the "ERROR: <Response [500]> are there I need all the info between the "INFO:" lines and grab things like AssocBill number and filename.

Thanks.

Re: Can multiple input lines be turned into one message?

Posted: Thu Jan 11, 2018 2:21 pm
by cdienger
The multiline codec can be used to merge multiple lines into a single event. https://www.elastic.co/guide/en/logstas ... iline.html has an example:

Code: Select all

    codec => multiline {
      # Grok pattern names are valid! :)
      pattern => "^%{TIMESTAMP_ISO8601} "
      negate => true
      what => previous
    }


This should merge the lines:

Code: Select all

2018-01-09 16:13:59,392 __main__ ERROR: ---TRACEBACK RETURNED FROM SERVER---:
Traceback (most recent call last):
File "/opt/lrms/envs/in1_lm_webapp/lib/python2.7/site-packages/lm_webapp/lm_webapp/lm/views.py", line 494, in upload_fn
bill = Bill.objects.get(legacyid=bill_version)
File "/opt/lrms/envs/in1_lm_webapp/lib/python2.7/site-packages/joplin/models/manager.py", line 81, in get
kwargs.pop("revno", DEFAULT_REVNO)).get(*args, **kwargs)
File "/opt/lrms/envs/in1_lm_webapp/lib/python2.7/site-packages/joplin/models/query.py", line 342, in get
% str(queryset.query))
DoesNotExist: No assets matched query: (AND: ('apn__isnull', 'False'), ('legacyid__exact', "u'IN1015.2'"))
A couple more specific examples can be found at:

https://support.nagios.com/kb/article/n ... g-546.html
https://support.nagios.com/kb/article/n ... g-727.html

Getting the last INFO line to merge with the above ERRORs may be doable but tricky and unnecessary. Let me know if it's completely needed though and I can poke around if so.

Once the data is merged the desired way, it should be pretty straight forward to pull out specific fields with grok filters. Check out the "Understanding Logstash" and specifically the example section at https://support.nagios.com/kb/article/n ... ew-98.html for steps to create grok filters.

Re: Can multiple input lines be turned into one message?

Posted: Thu Jan 11, 2018 2:30 pm
by GhostRider2110
Thanks, no I guess I worded it wrong. I really don't need anything out of the INFO line, just that is where I know the start of what I need, up to the next INFO line. Only most of the data inbetween them. I'll give that a try.

Re: Can multiple input lines be turned into one message?

Posted: Thu Jan 11, 2018 2:55 pm
by cdienger
Sound good! Keep us posted! :)

Re: Can multiple input lines be turned into one message?

Posted: Thu Jan 18, 2018 2:05 pm
by GhostRider2110
Still playing with this. Will report back what I get out of it.

Re: Can multiple input lines be turned into one message?

Posted: Thu Jan 18, 2018 4:52 pm
by lmiltchev
Sure. We will keep the post open.
All times are UTC-05:00
Page 1 of 1

Powered by phpBB® Forum Software © phpBB Limited