Hi LogViewPlus,

this is an idea for a new detection.
We get multiple logfiles which we have to investigate. When opening a logfile then I can use templates to search for potential issues.
If this could be automated that would be a great advantage.

My idea would be to store specific patterns inside LogViewPlus per parser. If such a pattern fits then show a message to the analyst so he can confirm if this is an issue or false positive.

Example 1:
In one of our logs a synchronization start and a synchronization stop is visible. Depending on the time such a synchronization takes this could be a problem or not. We could define to throw a message in case that the synchronization takes more than 3 minutes. Then it would popup for the analysist and he can decide if this is a problem or not. The option "Calculate Elapsed" already exists in LogViewPlus and could be used for this case.

Example 2:
Using the same example from "Example 1" that we check for a synchronization time. These synchronization attemps will be executed all 15 minutes in an interval. Normally the log would look as follows:
- Sync start
- Sync stop
- Sync start
- Sync stop
In case that a synchronization takes more than 15 minutes the log would look as follows. The stop message is missing.
- Sync start
- Sync start
In many logs a message is thrown when a process started and when a process stopped. If we can catch when a process was never stopped that would be great

Example 3:
Throwing a message in case a specific log order is not as expected.
Let's use an example for a login process on a computer and imagine that for each process a logentry will be written:
- computer starts
- login screen shown
- credentials entered and sent by the user
- local accounts will be checked and user will be logged in if available
- domain accounts will be checked and user will be logged in if available
- login fails
For this example it could be that the login fails but the domain accounts were never be checked (maybe a network issue) so then the "login fails" message appears but one message was skipped. This could appear as a warning and gives the analyst a fast help to investigate.
Please note that depending on the system there can be a lot of processes running in parallel so it must also be possible to check the process order based on a column. Within such a column there could be a Generic ID or username given which was available in the log.

Example 4:
Some errors appear seldom but if they appear they do have a specific pattern.
This pattern could be a single error message or a row of error messages. If such pattern is matched then a message to the analyst should be thrown.

I can imagine that there are many many more examples but hopefully my idea makes sense. :-)
The error indicators should only be available per parser as otherwise there will be a lot of checks on logfiles where this makes no sense. This just increases CPU usage even when not needed.

It would also be great if per such indicator 2 more information can be given:
- urgency: defines how serious such error can be as a help for the analyst who maybe never experienced this before
- information field: this information field can either contain a link to a bug report or knowledgebase article or contain a small description which does help the analyst for investigation

Best regards,
Matthias

Hi Matthias,

Thanks for the feedback!

I think this is a good vision and I would love for LogViewPlus to be able to do these things more easily.  However, I really do not want to increase application complexity.  It is very important for new users to be able to quickly understand the application.  I think applications can become complicated unintentionally when big features are added too fast.

One feature on our backlog is "Triggers".  Actions that take place when something happens or is detected in a log file.  For example, "Apply a template if you see this log line".  Triggers have a wide appeal and are easy to understand.  I think they would be a good stepping stone toward the vision you have outlined above.  My preference would be to revisit some of these use cases once that feature is complete.

Part of the power of LogViewPlus comes from the composition of simple ideas.  I would like to move toward the vision above, but I think it needs to be done with simple building blocks - and this will take time.

Hope that helps,

Toby