Closed David-yanp closed 3 months ago
For SQL based Alerts, the program_id
column is not yet initialized. You have to query against the program
column. Check out the layout of the syslog_incoming
table. For Reports, you can use the program_id
as it runs out of the syslog
table. So, by then, the program
column has been resolved to program_id
.
Hello,
Thanks for your help.
I try to use the program
instead of program_id
but some errors still occur.
2022/05/17 21:47:11 - CMDPHP SQL Backtrace: (/plugins/syslog/syslog_process.php[186]:syslog_remove_items(), /plugins/syslog/functions.php[606]:syslog_db_execute(), /plugins/syslog/database.php[69]:db_execute(), /lib/database.php[272]:db_execute_prepared())
2022/05/17 21:47:11 - CMDPHP ERROR: A DB Exec Failed!, Error: Unknown column 'program' in 'where clause'
And if the program is too long the SQL will be cut off
This is my setting, Can I use the program for now?
Sounds like your syslog incoming table may not be up to date:
+-------------+---------------------+------+-----+---------------------+----------------+
| Field | Type | Null | Key | Default | Extra |
+-------------+---------------------+------+-----+---------------------+----------------+
| facility_id | int(10) unsigned | YES | | NULL | |
| priority_id | int(10) unsigned | YES | | NULL | |
| program | varchar(40) | YES | MUL | NULL | |
| logtime | timestamp | NO | | 0000-00-00 00:00:00 | |
| host | varchar(64) | YES | | NULL | |
| message | varchar(1024) | NO | | | |
| seq | bigint(20) unsigned | NO | PRI | NULL | auto_increment |
| status | tinyint(4) | NO | MUL | 0 | |
+-------------+---------------------+------+-----+---------------------+----------------+
Hi,
It's a fresh install and I rechecked it, the table syslog_incoming
include the program column.
may something be wrong?
mysql> desc syslog_incoming;
+-------------+---------------------+------+-----+---------------------+----------------+
| Field | Type | Null | Key | Default | Extra |
+-------------+---------------------+------+-----+---------------------+----------------+
| facility_id | int(10) unsigned | YES | | NULL | |
| priority_id | int(10) unsigned | YES | | NULL | |
| program | varchar(40) | YES | MUL | NULL | |
| logtime | timestamp | NO | | 0000-00-00 00:00:00 | |
| host | varchar(64) | YES | | NULL | |
| message | varchar(2048) | NO | | | |
| seq | bigint(20) unsigned | NO | PRI | NULL | auto_increment |
| status | tinyint(4) | NO | MUL | 0 | |
+-------------+---------------------+------+-----+---------------------+----------------+
8 rows in set (0.01 sec)
This should be fixed now. Please test.
Hello,
How can I use the![image](https://user-images.githubusercontent.com/11266502/168716753-df58515b-9d6e-4c0f-abed-abf537904c52.png)
program_id
to filter the removal rule?When I chose the SQL expression and type the
program_id in (1,2,3,4,5,6,8,16,17,23,25,27,29,40,43,52)
in, I got some error log as below:I checked the SQL and saw the SQL has the
program_id
, but it's too complicated, I'm not good at SQL, someone can tell me how to use it and how can I do it.Any idea will be appreciated.