how would you filter two events that happen close together in time

Follow

Alhad Palkar

• November 03, 2016 22:35

I am trying to filter errors that happen based on a given precondition. So say my logs have an error message like this "client returned error : -1" We know that this error could happen for a few different reasons. One of the reasons could be that the server closed the connected around the time that we got this error. This is evident from this particular line in the logs "server closing..." How do I write a filter that would show me those -1 errors only if the "server closing..." happened within( before or after doesn't matter) a minute of the former? I have tried using join but that hasn't worked for me.

0

• 

  Ankit Goel

  • November 03, 2016 23:25

  Not sure if I understood correctly but you can timeslice your incoming events by 2 mins and with in each time bucket, if count distinct of events > 2 then it will give what you looking for

  0

  Comment actions Permalink
• 

  Alhad Palkar

  • November 03, 2016 23:28

  how would I construct a query that searches for either event1 or event2? I have just started using SumoLogic and I can't find a way of doing that. if I can do this, I would be able to use the "timeslice" although this is still a hack 'cause it could happen that event1 and event2 get split into adjoining buckets

  0

  Comment actions Permalink
• 

  Alhad Palkar

  • November 04, 2016 18:14

  something like this sort of works although i still have to manually go through the results to infer causality here is my query: ((_sourceCategory=log/*) and ("server closing..." or "client returned error :")) |parse regex "client returned error : -(?\d*)" nodrop | where (isEmpty(error_code) or error_code="1")

  0

  Comment actions Permalink

Please sign in to leave a comment.