Generate a property relevance that gets the last few lines of a file with a specific string

papable · June 6, 2023, 12:09pm

I’m trying to create a relevance script that gets all ERROR, WARNING errors found in EDR_DeploymentResults.txt for troubleshooting purposes. I think it is not efficient to store all these lines especially hence I am thinking if the result can be decreased to the last 5 lines containing the information.

Q: lines whose ((it contains "WARNING") or (it contains "ERROR")) of file "/var/opt/BESClient/EDRDeployData/EDR_DeploymentResults.txt"



A: 534653   : 2022-11-22 20:32:49 : WARNING  : Repo list is empty for OS: server-8-x86_64
A: 534662   : 2022-11-22 20:32:50 : WARNING  : Repo list is empty for OS: server-8-x86_64
A: 534662   : 2022-11-22 20:32:53 : ERROR    : Dependency resolution failed.
A: 534662   : 2022-11-22 20:32:53 : ERROR    : Exit Code: 1
A: 534725   : 2022-11-22 20:32:54 : ERROR    : dnf command not continue, last command exit code is not 0
A: 27838    : 2023-01-31 15:18:39 : WARNING  : Repo list is empty for OS: server-8-x86_64
A: 27859    : 2023-01-31 15:18:40 : WARNING  : Repo list is empty for OS: server-8-x86_64
A: 27859    : 2023-01-31 15:18:42 : ERROR    : Dependency resolution failed.
A: 27859    : 2023-01-31 15:18:42 : ERROR    : Exit Code: 1
A: 27923    : 2023-01-31 15:18:42 : ERROR    : dnf command not continue, last command exit code is not 0
A: 28009    : 2023-01-31 15:18:45 : WARNING  : Repo list is empty for OS: server-8-x86_64
A: 28029    : 2023-01-31 15:18:45 : WARNING  : Repo list is empty for OS: server-8-x86_64
A: 28029    : 2023-01-31 15:18:46 : ERROR    : Dependency resolution failed.
A: 28029    : 2023-01-31 15:18:46 : ERROR    : Exit Code: 1
A: 28060    : 2023-01-31 15:18:47 : ERROR    : dnf command not continue, last command exit code is not 0
A: 145424   : 2023-05-22 13:41:00 : ERROR    : Dependency resolution failed.
A: 145424   : 2023-05-22 13:41:00 : ERROR    : No packages are available.
A: 145424   : 2023-05-22 13:41:00 : ERROR    : Exit Code: 201
A: 8355     : 2023-05-29 15:23:03 : ERROR    : Dependency resolution failed.
A: 8355     : 2023-05-29 15:23:03 : ERROR    : No packages are available.
A: 8355     : 2023-05-29 15:23:03 : ERROR    : Exit Code: 201
A: 7004     : 2023-05-30 18:20:13 : ERROR    : Dependency resolution failed.
A: 7004     : 2023-05-30 18:20:13 : ERROR    : No packages are available.
A: 7004     : 2023-05-30 18:20:13 : ERROR    : Exit Code: 201
A: 7831     : 2023-06-01 16:58:39 : ERROR    : Dependency resolution failed.
A: 7831     : 2023-06-01 16:58:39 : ERROR    : No packages are available.
A: 7831     : 2023-06-01 16:58:39 : ERROR    : Exit Code: 201
A: 7835     : 2023-06-06 12:28:31 : ERROR    : Dependency resolution failed.
A: 7835     : 2023-06-06 12:28:31 : ERROR    : No packages are available.
A: 7835     : 2023-06-06 12:28:31 : ERROR    : Exit Code: 201
T: 6839

I’m trying to incorporate the information I found from this thread:

Any help will be much appreciated.
Thank you.

menglish66 · June 15, 2023, 7:49pm

Piggybacking off @jgstew code:

Q: items 1 of ( item 1 of it, (lines whose (it contains “Bigfix”) of item 0 of it )) whose ( (line number of item 1 of it) > ( item 0 of it - 3 /* <- This is the number of lines to return, which is subtracted from the total # of lines <- */ ) ) of (it, number of lines of it) of (file “C:\Users\Administrator\Documents\bleh.txt”)
A: Bigfix 3
A: Bigfix 4
A: Bigfix 5
T: 0.454 ms
I: plural file line

papable · June 16, 2023, 9:11am

Thank you so much. This is similar to what I would like to have. I just modified it based on my requirement:

if(name of operating system starts with "Win") OR (name of operating system starts with "Mac")then "N/A" else items 1 of ( item 1 of it, (lines whose ((it contains "WARNING") or (it contains "ERROR")) of item 0 of it )) whose ( (line number of item 1 of it) > ( item 0 of it - 100 /* <- This is the number of lines to return, which is subtracted from the total # of lines <- */ ) ) of (it, number of lines of it) of (file "/var/opt/BESClient/EDRDeployData/EDR_DeploymentResults.txt")

Additionally I used BigFix WebUI - Query to get more information about the log so as to avoid uploading results to my BigFix database.

if(name of operating system starts with "Win") OR (name of operating system starts with "Mac")then "N/A" else items 1 of ( item 1 of it, (lines of item 0 of it )) whose ( (line number of item 1 of it) > ( item 0 of it - 100 /* <- This is the number of lines to return, which is subtracted from the total # of lines <- */ ) ) of (it, number of lines of it) of (file "/var/opt/BESClient/EDRDeployData/EDR_DeploymentResults.txt")