Help Center Logpoint Docs Idea Portal Logpoint.com
Solved

How to see a result whith "filter < ..."

  • 22 October 2021
  • 3 replies
  • 48 views
H
Userlevel 1

Hi,

every hour my firewall loads a new antivir database. In normal case, I receive 24 logs a day. When the download fails, I don’t receive any log.

Now I want to be informed when the count of logs are less than 20 a day.

I tried the following:

norm_id=FortiOS event_category=kevent sub_category=update message="Update result: virus db:yes*"  | chart count() as "Count" by message | filter "Count" < 20

but this query doesn’t show my any results. I would like to see message and Count.

What should I modify?

Best regards,

Hans Vedder

icon

Best answer by Hans Vedder 26 October 2021, 12:18

View original

3 replies

Nicolai Thorndahl
Userlevel 3
Badge +8

Hi Hans 

I don’t see any issues with your query, and tested part of it in our demo system as well where it is working. However if the count is more than for the day then 20 then you won’t see any results as those are filtered out. 

So if you flip the “<” around to “>” then you should see results just for verification. In terms of the alarm the way you created your query it should only show alert when there is results, or you can simply remove the last filter part and instead move that logic to the alarm configuration with a less than 20 for the count field. 

Kind regards

Nicolai

Kind Regards, Nicolai
H
Userlevel 1

Hi Nicolai,

thank you for the tip. The query was okay, but not my testing scenario. Sorry.

Best regards,

Hans Vedder

H
Userlevel 1

Sorry, I wanted to mark Nicolai’s answer for best answer!

Reply


Terms & ConditionsCookie settings