I'm struggling now.
Could you please help me?
There are two hosts. they have same log data.
the host name is different but the same data is indexed.
host 1 is the master.
If host 1 fails, 2 becomes the master.
If an alert is created as it is, two alerts will be created for the same event. So I am trying to make the same event into one using dedup.
There is a message in the log, only the number changes.
Error message ××× occur
I want to create field to use dedup.
I know it is wrong but I want to do like this one.
message = "Error message \ d \ d \ d occur"
| dedup message
I can't come up with a way.
Could you help me?
Thank you.
↧