DX Unified Infrastructure Management

  • 1.  Logmon Regex question

    Posted Oct 22, 2012 03:55 PM

    /.servername.\S*(\d*?).\s*.(\d+).(\w).\s*.(\d+).\s*(\d+).\s*(\d+).\s*.\S*(\d*?).\s*(\S*).\s*.(\S*)./

     

    *servername ipaddress       2 u  824 1024  377    0.613   -5.983   0.118

     

    the regex has been created to break the above string up into variables and we need to pass variable 8 (-5.983) as a numerical value.

     

    the string is part of the output from ntpq -p on a redhat server.

     

    the variable is the offset and can be a positive or negative number.

     

    any help with the regex would be appreciated.



  • 2.  Re: Logmon Regex question

    Posted Oct 22, 2012 04:04 PM

    The regex works fine, what are you having problems with, getting the 8th group into logmon as a variable?



  • 3.  Re: Logmon Regex question

    Posted Oct 22, 2012 05:02 PM

    no the variable isnt being picked up as a numical value so we are unable to QOS it



  • 4.  Re: Logmon Regex question

    Posted Oct 22, 2012 05:24 PM

    What I would do is a simple regex like /^\*servername.*/ so that it picks each line that starts with your format.

     

    Then I would set up a variable for column *9* to column 9 and that the separator is blank.

     

    What I would expect would be:

     

    *servername ipaddress       2 u  824 1024  377    0.613   -5.983   0.118

     

    Column1: servername

    Column2: ipaddress

    Column3: 2

    Column4: u

    Column5: 824

    Column6: 1024

    Column7: 377

    Column8: 0.613

    Column9: -5.983

    Column10: 0.118.

     

    BUT it might count every space as a column, so there might be 6 columns between ipaddress and 2.  If that is the case you just have to up your column to/from to the appropriate column.

     

     

     



  • 5.  Re: Logmon Regex question

    Posted Oct 22, 2012 05:58 PM

    You might want to open a ticket if you stuck but his works just fine for me:

     

     

     

    Here is my CFG for that profile:

     

    <profiles>
       <Negative_test>
          active = yes
          interval = 10 sec
          scanfile = /tmp/test
          scanmode = cat
          alarm = yes
          qos = yes
          message =
          subject =
          monitor_exit_code = No
          max_alarm_sev = 5
          max_alarms =
          max_alarm_msg =
          password =
          <watchers>
             <test>
                active = yes
                match = /.servername.\S*(\d*?).\s*.(\d+).(\w).\s*.(\d+).\s*(\d+).\s*(\d+).\s*.\S*(\d*?).\s*(\S*).\s*.(\S*)./
                level = information
                subsystemid =
                message =
                i18n_token =
                restrict =
                expect = no
                abort = no
                sendclear = no
                count = no
                separator =
                suppid =
                source =
                qos =
                runcommandonmatch = no
                commandexecutable =
                commandarguments =
                pattern_threshold =
                expect_message =
                expect_level =
                <variables>
                   <var>
                      definition = $8
                      qosactive = yes
                      qosname = <Default>
                   </var>
                </variables>
             </test>
          </watchers>
       </Negative_test>
    </profiles>

     

     

    Aslo:

     

    Make sure you have QoS on Variables enabled:

     



  • 6.  Re: Logmon Regex question

    Posted Oct 22, 2012 06:29 PM

    The regex and logmon watcher seem to work fine for me too. But the -5.983 value in the sample is variable 9 in the regex, not variable 8. The regex also excludes the minus sign when the value is negative; is that intentional?

     

    I tested by putting the sample output into a file and configured logmon to cat that file every check. It the watcher generates an alarm for me to check the variables and saves them to QoS, and the values were correct in both cases. Here is the logmon profile I used:

     

       <TEST_ntp>
          active = yes
          interval = 1 min
          scanfile = C:\Temp\ntp.log
          scanmode = cat
          alarm = yes
          qos = yes
          message = no
          user = 
          monitor_exit_code = No
          max_alarm_sev = 5
          max_alarms = 
          max_alarm_msg = 
          password = 
          subject = 
          <watchers>
             <output>
                active = yes
                match = /.servername.\S*(\d*?).\s*.(\d+).(\w).\s*.(\d+).\s*(\d+).\s*(\d+).\s*.\S*(\d*?).\s*(\S*).\s*.(\S*)./
                level = major
                subsystemid = 
                message = Got a match - var8 = $var8 / var9 = $var9
                i18n_token = 
                restrict = 
                expect = no
                abort = no
                sendclear = no
                count = no
                separator = 
                suppid = 
                source = 
                target = 
                qos = 
                runcommandonmatch = no
                commandexecutable = 
                commandarguments = 
                pattern_threshold = 
                expect_message = 
                expect_level = 
                <variables>
                   <var8>
                      definition = $8
                      qosactive = yes
                      qosname = <Default>
                      qostarget = var8
                   </var8>
                   <var9>
                      definition = $9
                      qosactive = yes
                      qosname = <Default>
                      qostarget = var9
                   </var9>
                </variables>
             </output>
          </watchers>
       </TEST_ntp>

     We may be able to clean up the regex a bit too, which I started to do and then realized I might not know enough about how all of those values can look and still be legitimate.



  • 7.  Re: Logmon Regex question

    Posted Oct 23, 2012 02:36 PM

    Hi,

     

    I also have logmon watcher checking ntpq -p output to find the offset value compared to primary source, but I don't see much use for regex in this case. What I do is I look for the row starting with or containing (can't remember the details now) asterisk "*", and then I use whitespace/blank as separator and pick the proper column number into a variable. If I remember correctly it rounds the decimal value to an integer, but the accuracy should be sufficient I believe.

     

    -jon