Hi LogViewPlus,

this is an idea for a new detection.
We get multiple logfiles which we have to investigate. When opening a logfile then I can use templates to search for potential issues.
If this could be automated that would be a great advantage.

My idea would be to store specific patterns inside LogViewPlus per parser. If such a pattern fits then show a message to the analyst so he can confirm if this is an issue or false positive.

Example 1:
In one of our logs a synchronization start and a synchronization stop is visible. Depending on the time such a synchronization takes this could be a problem or not. We could define to throw a message in case that the synchronization takes more than 3 minutes. Then it would popup for the analysist and he can decide if this is a problem or not. The option "Calculate Elapsed" already exists in LogViewPlus and could be used for this case.

Example 2:
Using the same example from "Example 1" that we check for a synchronization time. These synchronization attemps will be executed all 15 minutes in an interval. Normally the log would look as follows:
- Sync start
- Sync stop
- Sync start
- Sync stop
In case that a synchronization takes more than 15 minutes the log would look as follows. The stop message is missing.
- Sync start
- Sync start
In many logs a message is thrown when a process started and when a process stopped. If we can catch when a process was never stopped that would be great

Example 3:
Throwing a message in case a specific log order is not as expected.
Let's use an example for a login process on a computer and imagine that for each process a logentry will be written:
- computer starts
- login screen shown
- credentials entered and sent by the user
- local accounts will be checked and user will be logged in if available
- domain accounts will be checked and user will be logged in if available
- login fails
For this example it could be that the login fails but the domain accounts were never be checked (maybe a network issue) so then the "login fails" message appears but one message was skipped. This could appear as a warning and gives the analyst a fast help to investigate.
Please note that depending on the system there can be a lot of processes running in parallel so it must also be possible to check the process order based on a column. Within such a column there could be a Generic ID or username given which was available in the log.

Example 4:
Some errors appear seldom but if they appear they do have a specific pattern.
This pattern could be a single error message or a row of error messages. If such pattern is matched then a message to the analyst should be thrown.

I can imagine that there are many many more examples but hopefully my idea makes sense. :-)
The error indicators should only be available per parser as otherwise there will be a lot of checks on logfiles where this makes no sense. This just increases CPU usage even when not needed.

It would also be great if per such indicator 2 more information can be given:
- urgency: defines how serious such error can be as a help for the analyst who maybe never experienced this before
- information field: this information field can either contain a link to a bug report or knowledgebase article or contain a small description which does help the analyst for investigation

Best regards,
Matthias