Hi,

I'm new to Log Insight looking at how to streamline monitoring of one of our applications.

I have a couple of servers that write 1 log file when it does a process between 00:00 and 01:00 in the morning, the log file is written over this period with each step and it status

example:

Step 1: step name

     Step 1 Status : OK : step task

          Info: additional info of task

     Step 1 Status : OK : step task

          Info: additional info of task

Step 2: step name

     Step 2 Status : OK : step task

     Step 2 Status : OK : step task

          Info: additional info of task....

each step and step task is written as it is completed.

I have a regex which is just looking for the Step [1-9] for each line so i get a log entry for each line along with the info line

I then have an alert query which looks for "error" in the entry and sends an email alert

The issue is I only get the one specific line with info the error is on but I would like to get the entire step - so if the error is for the 2nd step task in Step 2 i would like the alert to have all the log entries for Step 2 or the previous lets say 5 events before the error occurred.

Possible solution i need assistance with:

1 - is it possible to set the LI agent folder monitor to only collect logs at a certain time? - I can then set it to monitor after 01:00 and change the Regex to collect the entirety of each step

2 - Is it possible to get LI to combine multiple events based on a field or set an alert to send an alert based on a query + the previous 5 events?

Regards,

Anthony