Report Template: Advanced Counter¶
This syslog report template shows how to count different variable values.
Conditions and Goal¶
Each syslog message contains the text Variable=...
, where ...
is from a set of values, e.g., IP addresses: IP=192.168.1.1
.
We need to count how many times each value (IP address) occurs.
Report Template¶
Initial step: create a new template.
Initialization (Pre Commands)¶
The initialization (Pre) command creates a table for the values.
Data Field¶
Make sure you have the Advanced Settings visible:
Use regular expression syntax to extract the required field from the message text. The exact expression will be individual for each case. For the example above, {MESSAGE|r/IP=(\S+)/}
will work.
Commands¶
Next, add two commands that apply to all syslog messages (no filter):
INSERT OR IGNORE INTO Vals (Val) VALUES ('{IP|EscSQL}');
UPDATE Vals SET Counter=Counter+1 WHERE Val='{IP|EscSQL}';
The first command creates records for new values (IP addresses), and the second increments the counter. Always add the EscSQL modifier to escape values you extract from message text.
Post SQL Commands¶
All calculations are performed during report generation, so finalizing (Post) commands are not required.
Output Filename¶
The report's creation timestamp will create a unique file name:
Output Directory¶
Leaving the target directory empty will prompt you to enter the output directory each time the report is generated.
Output HTML¶
Here is a simple HTML that displays the counters:
Let's improve the template by including titles, time period, and total number:
Results¶
You will end up with a template looking like this:
And a generated report looks similar to this one:
Message Filtering¶
For this report type, you will filter syslog messages to analyze only those that contain the required data field. Always add filter by severity level and (if possible) syslog originators.
Tip
Filtering by severity level is very fast and will help you avoid analyzing unnecessary messages.
Download Template¶
You can download this report example (advanced-counter.report.json) and import it into Syslog Watcher Manager.