How to see a result whith "filter

Question

Hi,every hour my firewall loads a new antivir database. In normal case, I receive 24 logs a day. When the download fails, I don’t receive any log.Now I want to be informed when the count of logs are less than 20 a day.I tried the following:norm_id=FortiOS event_category=kevent sub_category=update message="Update result: virus db:yes*"  | chart count() as "Count" by message | filter "Count" < 20but this query doesn’t show my any results. I would like to see message and Count.What should I modify?Best regards,Hans Vedder

Hans Vedder · Accepted Answer

Hi Nicolai,thank you for the tip. The query was okay, but not my testing scenario. Sorry.Best regards,Hans Vedder

Nicolai Thorndahl · Answer

Hi HansI don’t see any issues with your query, and tested part of it in our demo system as well where it is working. However if the count is more than for the day then 20 then you won’t see any results as those are filtered out.So if you flip the “<” around to “>” then you should see results just for verification. In terms of the alarm the way you created your query it should only show alert when there is results, or you can simply remove the last filter part and instead move that logic to the alarm configuration with a less than 20 for the count field.Kind regardsNicolai

Reply

Sign up

Already a Partner or Customer? Login with your LogPoint Support credentials. Don‘t have a LogPoint Support account? Ask your local LogPoint Representative. Only visiting? Login with LinkedIn to gain read–access.

Login to the community

Already a Partner or Customer? Login with your LogPoint Support credentials. Don‘t have a LogPoint Support account? Ask your local LogPoint Representative. Only visiting? Login with LinkedIn to gain read–access.

Scanning file for viruses.

This file cannot be downloaded