Ad Widget

Collapse

Trigger on log entries - X entries in Y seconds

Collapse
X
Collapse
 
  • Page of 1
  • Time
  • Show
Clear All
new posts
Previous template Next
  • jgerry
    Junior Member
    • Jul 2009
    • 15
    #1

    Trigger on log entries - X entries in Y seconds

    I'm trying to construct a trigger that fires only when a logfile has 10 matching entries within a 600 second period. My initial trigger looks like this:

    {Offer:log[/data/logs/paster.log,@pasterLog].str(Functional dependency violoation)}=1

    the @pasterLog contains numerous matches, I'm trying to just trigger on "Functional dependency violoation", this works fine. But the trigger fires every time it sees this string, and I want it to only fire if it sees this string 10 times in 10 minutes. Really I want to be able to pass the results from the str() function into count(600,1), is it possible to do this at all, string multiple functions together in a single trigger?
    Tags: None
    • mpureka
      Junior Member
      • Apr 2011
      • 28
      #2
      I'm working on something like this myself; I've been trying to create a Calculated Item to get the number of occurances of the log event (Windows event logs this time, but the principle is the same), and then create a trigger to fire off if the value of the calculated monitor is high.

      The problem is, I can't seem to get the calculated monitor working. I'm running something like this:

      count("eventlog[Application,,Error]",120)

      Which, according to the documentation here, this is the right syntax to use in a calculated item, but this never retrieves ANY data and eventually comes back as "Not Supported". Including the Host: systax in front of eventlog doesn't seem to help either.

      Has anyone gotten a calculated item to work for this sort of format?

        Comment

        • jgerry
          Junior Member
          • Jul 2009
          • 15
          #3
          I think this solves my particular problem:

          {Offer:log[/data/logs/paster.log,@pasterLog].count(600,"CommitError","like")}>9

          count() accepts the arbitrary string input "CommitError", so if count() sees that text (using the "like" operator) more than 9 times in 600 seconds, the trigger fires. It seems to be working for me now.

            Comment

            Previous template Next
            Working...