Fetchlog Query

This query is used to retrieve logs from indexes with some filters specified in fetchlog command or filter based on previous results in the pipeline. Fetchlog command retrieves records from NFDB.

You can use Fetchlog command in two ways:

  1. When Fetchlog is the first command: To retrieve logs from indexes with some filters specified.
  2. When Fetchlog is the not the first command: When the fetchlog command is not the first command in the pipeline, the fetchlog command is used to fetch logs filtered based on the results of the previous command.

Syntax: fetchlog INDEX:” indexpattern” <logical-expression>

Example: fetchlog index:”tier1-env2-20180503″ where httpmethod.keyword==”GET” AND dc.keyword==”test”

Support of Auto Fill of hh:mm:ss. Ss value

Support for default value is provided i.e. 00 if you do not place any value in the syntax of timestamp format (i.e YYYY-MM-DD HH:mm: ss.SSS) in startTime and endTime parameters of fetchlog.

For Example:

If you want to search startTime only upto min.

fetchlog index: “gcp*” where startTime == “2019-08-30T11:22”

It automatically fills the second/millisecond values in backend:

fetchlog index: “gcp*” where startTime == “2019-08-30T11:22:00.000”

Figure 75: Fetch Query

Sort Query

This query sorts the results of a search in ascending or descending order based on the order specified by the user.

Syntax: ..|sort <Orderoption> <fieldName>

Example : index=* query=*|sort asc resptime

Output: This generates the result by sorting the values of field ‘resptime’ in ascending order.

Figure 76: Sort Query

Time Function

This function returns current time, with microseconds resolution. The result is changed for every different search.

Syntax: ..| eval <fieldName>=time()

Example: * | eval sample=time()|table sample,@timestamp

Output: This generate the result by adding a field ‘sample ‘, which contains the fetched document time in milliseconds.

Figure 77: Time Function

strftime (X,Y)

This function takes field as input which should have format epoch-millis and returns Date according to Y specifier format.

Syntax:  . . | eval <fieldName>=strftime(doc.<fieldName>.value,<”datetimeFormat”>)

 

Example:

* | eval sample=strftime(doc.@timestamp.value,”%H:%m”)|table @timestamp, sample

Output: This generate the result by adding a field ‘sample ‘which contains the converted date/time value of field @timestamp in given datetimeFormat.

Figure 78: STRFTime (X,Y)

strptime () function

This function takes string X as first argument and second argument Y as date format to represent String X.  The strptime function returns correct UNIX time of String X. String X value must be January 1, 1971, or later.

Syntax:

 . . | eval <fieldName>=strftime(doc.<fieldName>.value,<”datetimeFormat”>)

Example:

 * | eval sample=strptime(doc.@timestamp.value,”%yyyy-%MM-%dd”)|table @timestamp, sample

Output: This generate the result by adding a field ‘sample ‘which contains the converted date/time value of field @timestamp in epoch-milliseconds format.

Note: Here the <datetimeFormat> must be same as given field format.

Figure 79: STRPTime Function

Monitoring Server Health

It is used to monitor NFDB server health, such as CPU, memory, disk, and so on. It also monitors, number of users logged in, number of queries run by the user, query response time, max used query.

Figure 80: Monitoring Server Health
Previous
Next