How to get report of before and after 5 lines of log when message match = my-error to my email in x-pack in elasticsearch in plain text format

balamelangi · January 1, 2019, 2:36pm

PUT _xpack/watcher/watch/log_error_watch
{
"trigger" : { "schedule" : { "interval" : "10s" }},
"input" : {
"search" : {
"request" : {
"indices" : [ "filebeat-*" ],
"body" : {
"query" : {
"bool" : {
"must" : [
{ "match" : { "message": "error" }},
{ "range" : { "result.execution_time" : { "from" : "now-10s" }}}
]
}
}
}
}
}
},
"condition" : {
"compare" : { "ctx.payload.hits.total" : { "gt" : 0 }}
},
"actions" : {
"email_admin" : {
"email": {
"to": "John Doe john.doe@example.com",
"attachments" : {
"data.yml" : {
"data" : {
"format" : "yaml"
}
}
}
}
}
}
}

Here I want to get before and after 5 lines and host.name only when the message matches error in email using x-pack in elasticsearch in the form of plain text format. Please, anyone, help me here.

gbrown · January 2, 2019, 7:43pm

You can put together something like this using the Search transform to query for logs within a time bound around the timestamp on the error message, say +/- 5 seconds using a range query. Getting exactly 5 lines before and after is a bit more difficult. You might be able to trim the results with a Script transform as part of a Chain transform, though, if it's critical.

balamelangi · January 3, 2019, 12:36pm

@gbrown thanks for you replay. Can you please provide code for +/-5 sec. I've requirement like above.

balamelangi · January 4, 2019, 6:24am

@gbrown please give me the code for after matching the message. I'nt once match the pattern message display before and after +/-5 lines of the error match lines to be print . and let me how to get report to my mail. Please tell me any one .

balamelangi · January 7, 2019, 7:26am

@here some one help me above my problem. please.

spinscale · January 7, 2019, 9:41am

Hey,

I think the tough part here is to come up with a definition of what 5 lines above or below something means. This could mean you want the same five lines in the same logfile, but if it is a syslog file, those messages might actually be from a completely different service. If it is from an apache log, those next lines might be from a completely different IP address. So you need to define first for yourself what exactly this means. Do you want to filter by IP, by host, by service, by log level. And only after doing this one can come up with a query.

This is also the reason, why it is super hard for anyone external to your usecase to come up with concrete queries.

Hope this helps.

--Alex

balamelangi · January 7, 2019, 10:42am

Yes. I'm monitoring both syslogs as well as apache, JBOSS and my app logs. Can you please provide the x-pack notification script.

balamelangi · January 7, 2019, 12:54pm

@here some one help me.

system · February 4, 2019, 12:54pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
How to get report of before and after +/-5 lines of log when message match = my-error to my email in x-pack in elasticsearch Elasticsearch elastic-stack-alerting	2	421	January 7, 2019
Return a few log lines before and after an ELASTIC watcher match query Elasticsearch elastic-stack-alerting	4	2227	November 30, 2018
Email notification with source details Elasticsearch elastic-stack-alerting	4	627	May 30, 2018
How to print my error stack trace from watchers or/and alerts in an email? Kibana elastic-stack-alerting	3	647	May 25, 2021
Watcher - include all errors in e-mail Elasticsearch	4	885	February 27, 2018

How to get report of before and after 5 lines of log when message match = my-error to my email in x-pack in elasticsearch in plain text format

Related topics