Finding a sequence of events

Jeremy_A · February 20, 2020, 9:03pm

Hi, I've seen some info online about this but much of it was a few years old so I was wondering what the best solution would be to this problem of finding a sequence of events from discreet logs.

We have an index with alert codes that come from machines, and each alert code comes in as a new document. We want to create a report that identifies when a certain pattern of alerts comes in.

For example, if you have the following documents:

{
  "machine_id" : "A1",
  "alert_code": "1"
}
{
  "machine_id" : "B1",
  "alert_code": "3"
}
{
  "machine_id" : "B1",
  "alert_code": "1"
}
{
  "machine_id" : "A1",
  "alert_code": "5"
}
{
  "machine_id" : "A1",
  "alert_code": "1"
}
{
  "machine_id" : "A1",
  "alert_code": "2"
}
{
  "machine_id" : "A1",
  "alert_code": "3"
}

Then i want to be able to search for instances where the same machine issued alerts 1-2-3 in that order, but we don't care if it issues 1-3-2 or 1-4-6 for example. Or if there was a 1-2-3 but not all from the same machine for that matter).

warkolm · February 20, 2020, 9:12pm

Is there a timestamp in each doc?

Jeremy_A · February 20, 2020, 9:35pm

Yes, each document also has a @timestamp and sequence_number associated with it.

warkolm · February 20, 2020, 9:42pm

Then you can aggregate by host, sorted by timestamp.

You could probably also write a watch script that finds that particular ordering, but I am not super sure if you can do that in another way.

system · March 19, 2020, 9:42pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.