Grouping logs?

Follow

Kevin Fletcher

• February 08, 2018 21:12

I have some logs like this:

serverA up
serverB up
serverA up
serverA down    <<
serverB up
serverB up
serverA up        <<
serverA up

What I am looking to do is find the two logs marked above. Basically when the 'down' is logged, the immediate 'up' after that. These could be more than 1 log apart.

I was experimenting with Join but not getting the results I want due to this lack of time constraint.

Is this even possible with Sumologic queries?

0

• Official comment

  

  David Woller

  • February 15, 2018 16:01

  Hey Kevin,

  I think the transaction operator may be what you're looking for. This allows you to specify "states" within the logs from given strings of text, and I think that you coul use this to create a state transaction for the serverA status logs. You could specify "serverA up" as the up state and "serverA down" as the down state and then track the occurrences of those states. The link below includes some examples from the transaction operator:

  https://help.sumologic.com/Search/Search-Query-Language/Transaction-Analytics/Transaction-Operator-Examples

  Please let me know if you have any additional questions or if this doesn't provide the functionality that you're looking for. Thanks!

  Permalink
• 

  Kevin Fletcher

  • February 15, 2018 19:31
  • Edited

  Hi David, thanks!!

  0

  Permalink
• 

  Kevin Fletcher

  • February 15, 2018 17:46
  • Edited

  Ok it looks like the `with` statements need to include "*searchterm*" wildcards for example. That worked for me to get the matches.

  Now I need to figure out the differences in timestamps based on these matches - I am trying to print out the two marked << in my original post. 

  I had found this page which was more helpful: https://help.sumologic.com/Search/Search-Query-Language/Transaction-Analytics

  0

  Permalink

Please sign in to leave a comment.