Hi
I know the following query can be used to create an alarm with devices that haven’t been sending logs
| chart count() by device_ip | search ‘count()’ = 0
However, in cases where I have multiple IP’s for a single device this won’t work as the ones not sending data will come up in the search result even though the device is sending data from another IP. Another case where I have issues, is when pulling data with for instance the O365 fetcher which will have device_ip of the localhost which will also be the case for the internal LogPoint logs. One way could be to create alerts on the individual repo’s with some specific characteristics, but I would like to avoid creating multiple alerts for the same to reduce search load.
Any ideas how to build a single alert for detecting devices not sending logs with multiple IP’s and fetchers not fetching any data?
Hi,
have you tried this variant?
| chart count() by device_name | filter 'count()'=0
It *should* cover the case of multiple IPs
For O365 I have not been able to test but you could try
col_type=*o365 | chart count() by col_type | filter 'count()'=0
Regards,
Henrik
Hi,
have you tried this variant?
| chart count() by device_name | filter 'count()'=0
It *should* cover the case of multiple IPs
For O365 I have not been able to test but you could try
col_type=*o365 | chart count() by col_type | filter 'count()'=0
Regards,
Henrik
Thanks Henrik! Will give it a try.
I managed to get an extra asterisk in there, use this instead:
col_type=o365 | chart count() by col_type | filter 'count()'=0
Actually, since we are filtering on the collection type for Office365 we could probably simplify it further:
col_type=o365 | chart count() | filter 'count()'=0
This query really only makes sense in an alert rule :-)
/Henrik
Thanks
Thanks!
Hi,
have you tried this variant?
| chart count() by device_name | filter 'count()'=0
It *should* cover the case of multiple IPs
For O365 I have not been able to test but you could try
col_type=*o365 | chart count() by col_type | filter 'count()'=0
Regards,
Henrik
Can you validate this with a screendump? When changing to using the device_name in the search, we get no results returned. But when using the original search with device_ip, we get results from several nodes which we are not receiving logs from.
Hi,
I do not understand, how the search will check against the list of all configured devices in Logpoint ?
Can anybody explain it for me?
Thanks
Roland
Hi Roland
This is a feature:
To accommodate the special case of device not sending logs, the query for getting logs count from device IPs is treated differently and would be instantiated with all the applicable registered devices initialized with count zero. It is initialized in the indexsearcher service which computes all the device IPs that can send to that particular repository within the user’s permission.
After initialization, rest of the computation would be similar to any other queries.
Besides this there is also the simple use case to check if any logs are received in the Repo, this can be achieved by configuring an alert rule with the following parameters:
Query: | chart count()
Condition: less than “1”
Repo selection: select only 1 repo.
/Nicolai
Hi,
For a Use case where you want to alert on multiple repos at once, you can use this solution:
- Create a Dynamic List which will be populated with the field value “repo_name” from all repositories you want to monitor
- Make a CSV file containing the field value “repo_name” followed by the names of the repos you want to monitor
- Make an alert that populates the Dynamic list with repositories that are receiving logs
Query: | chart count() as cnt by repo_name | filter cnt > 0 | process toList(DLIST_REPO, repo_name) - Make an alert that compares the Dynamic list and the Dynamic Table and fires when a repo_name is missing in the Dynamic List compared to the Dynamic Table.
Query: table "Dynamic_Table_enrichment_repo" | search -repo_name in DLIST_REPO | chart count() by repo_name
Other than that there is also a Vendor Rule to alert on a single repo not receiving logs for half an hour.
Vendor Rule: LP_Default Device Stopped Sending Logs for Half an Hour
/Gustav
Hi,
have you tried this variant?
| chart count() by device_name | filter 'count()'=0
It *should* cover the case of multiple IPs
For O365 I have not been able to test but you could try
col_type=*o365 | chart count() by col_type | filter 'count()'=0
Regards,
Henrik
Can you validate this with a screendump? When changing to using the device_name in the search, we get no results returned. But when using the original search with device_ip, we get results from several nodes which we are not receiving logs from.
We see exactly the same problem.
It would be great to have search query which also respects the case when a device has multiple IPs (e.g. for fallback) and sends logs from at least one IP.
Just added an idea for this:
https://logpoint.ideas.aha.io/ideas/LP-I-211
Feel free to give it a vote!
Hi,
For a Use case where you want to alert on multiple repos at once, you can use this solution:
- Create a Dynamic List which will be populated with the field value “repo_name” from all repositories you want to monitor
- Make a CSV file containing the field value “repo_name” followed by the names of the repos you want to monitor
- Make an alert that populates the Dynamic list with repositories that are receiving logs
Query: | chart count() as cnt by repo_name | filter cnt > 0 | process toList(DLIST_REPO, repo_name) - Make an alert that compares the Dynamic list and the Dynamic Table and fires when a repo_name is missing in the Dynamic List compared to the Dynamic Table.
Query: table "Dynamic_Table_enrichment_repo" | search -repo_name in DLIST_REPO | chart count() by repo_name
Other than that there is also a Vendor Rule to alert on a single repo not receiving logs for half an hour.
Vendor Rule: LP_Default Device Stopped Sending Logs for Half an Hour
/Gustav
Hey I know this Topic is a bit older.
you say on the Bottom there that, the LP_Defaul Device Stopped Sending Logs Rule, could only be used for a Single Repo not Receiving Logs, but could you not just Edit the Rule to be using, Multiple or even all Repos Technically?
Reply
Sign up
Already have an account? Login
Already a Partner or Customer? Login with your LogPoint Support credentials. Don‘t have a LogPoint Support account? Ask your local LogPoint Representative. Only visiting? Login with LinkedIn to gain read–access.
LOGIN AS PARTNER OR CUSTOMER Login with LinkedInLogin to the community
Already a Partner or Customer? Login with your LogPoint Support credentials. Don‘t have a LogPoint Support account? Ask your local LogPoint Representative. Only visiting? Login with LinkedIn to gain read–access.
LOGIN AS PARTNER OR CUSTOMER Login with LinkedInEnter your E-mail address. We'll send you an e-mail with instructions to reset your password.