Alert based on seeing Message A without being followed by Message B
I am trying to construct an alert that will only fire if we see a certain message NOT followed by a certain second message within a set period of time.
So for example: "VPN down" NOT followed by "VPN up" within 1 minute would be an alert condition.
The example given here: https://support.sumologic.com/hc/en-us/community/posts/208219507-Search-for-message-NOT-followed-by-another-message
seems to be close to what I'm looking for, but I can't figure out how to make it work when the search for Message A and Message B is something complex. e.g.,
(_sourceCategory="vec/p/pss/utm") and *Valtovpc* and 1.1.1. and "VPN down" NOT_FOLLOWED_BY_WITHIN_1_MINUTE
(_sourceCategory="vec/p/pss/utm") and *Valtovpc* and 1.1.1. and "VPN down"
Any pointers in the right direction would be appreciated!
-
Official comment
Hi Larry,
Do you have a way to link Message A and Message B when they do work? This could be due to a parsed field for example "id"
If so, you can use the transactionize operator to group all messages with the same "id" field and use the merge operator to merge the grouped messages. Then, you can apply a condition to check for the presence or absence of the two strings. You can also specify a time range for transactionize to do the grouping of messages
Here's an example query
((_sourceCategory="vec/p/pss/utm") *Valtovpc* ("VPN Down" or "VPN up"))
| parse "id=\\\"*\\\"" as id
| transactionize id maxspan=1m (merge id takeFirst, _raw join with "\n\n" as merged_message)
| where merged_message matches "*VPN down*" and !(merged_message matches "*VPN up*")Hope that helps
Kind regards
Raghu
Comment actions
Please sign in to leave a comment.
Comments
1 comment