VMware Cloud Community
benatviawest
Contributor
Contributor
‎08-12-2014 01:43 PM

Event Correlation

Hello!

I am looking for information on how to search for occurrences of Event B but only when it occurs within x seconds of event A, is this possible?

An example would be (threshold is 5 seconds):

This would match

10:00:00 - Log Entry A

10:00:01 - Log Entry B

This would not

10:00:00 - Log Entry A

10:05:00 - Log Entry B

Thanks!

Tags (1)
0 Kudos
5 Replies
sflanders
Commander
Commander
‎08-12-2014 01:47 PM

The best option is to:

1. Search for Log Entry A

2. Next to the event select the gear icon on the left and select the option to set the time range

3. Select 5 seconds after and OK

4. Delete search for Log Entry A, but DO NOT run the query

5. Search for Log Entry B

Hope this helps! === If you find this information useful, please award points for "correct" or "helpful". ===
benatviawest
Contributor
Contributor
‎08-12-2014 02:01 PM

Hmm, that is sort of it, except I was using filters vs searching because there were several things I am looking for.  Basically its this:

ALL

text contains: has completed * CP(s), NFS response to client, has entered the All Paths Down state.

hostname contains: esx*, netapp.ip.address

It is hard to describe, I might just have to write a script to parse the JSON output.  Basically what I want is to show me where those events (has entered the All Paths Down state.) and (has completed * CP(s), NFS response to client) are clustered.  There are lots of has completed * CP(s) events, that's why I want to narrow it down.  Hope that helps.

0 Kudos
sflanders
Commander
Commander
‎08-12-2014 02:15 PM

Another way to approach this is to create two queries and save both to a Dashboard then stack them one on top of the other. Then you can see when completed * CP(s) happens in relation to the other messages.

One future way to do this would be with a join operator (not supported today) or the way to overlay two queries on the same graph (not supported today).

Hope this helps! === If you find this information useful, please award points for "correct" or "helpful". ===
0 Kudos
sflanders
Commander
Commander
‎08-19-2014 06:53 PM

If your question is answered can you mark it as answered?

Hope this helps! === If you find this information useful, please award points for "correct" or "helpful". ===
0 Kudos
sflanders
Commander
Commander
‎09-25-2014 12:34 PM

If your question is answered can you mark it as answered?

Hope this helps! === If you find this information useful, please award points for "correct" or "helpful". ===
0 Kudos