As an example, let's build a search query, save it (as a report), and then make an alert out of it. First, let's find errors that affect mary
, one of our most important users. This can simply be the query mary error
. Looking at some sample log messages that match this query, we see that some of these events probably don't matter (the dates have been removed to shorten the lines):
ERROR LogoutClass error, ERROR, Error! [user=mary, ip=3.2.4.5] WARN AuthClass error, ERROR, Error! [user=mary, ip=1.2.3.3] ERROR BarCLass Hello world. [user=mary, ip=4.3.2.1] WARN LogoutClass error, ERROR, Error! [user=mary, ip=1.2.3.4] DEBUG FooClass error, ERROR, Error! [user=mary, ip=3.2.4.5] ERROR AuthClass Nothing happened. This is worthless. Don't log this. [user=mary, ip=1.2.3.3]
We can probably skip the DEBUG
messages; the LogoutClass
messages look harmless and the last message actually says that it's worthless. mary error NOT debug NOT worthless NOT logoutclass
limits the...