Logmon probe with URL mode - can't get it to work how I would like

Discussion created by sfb on Apr 17, 2014
Latest reply on Apr 17, 2014 by 1_keithk

I'd like to read from a URL, process the results line by line, generate alarm messages from some of the numbers; I think LogMon can do it, but I can't make it work.


The URL is an email service's API  (no complicated HTML), it returns something like this:








Pattern is: email domain, queue 1 length, queue 2 length.


I've taken a copy of the output and am serving it from a local webserver for faster testing.


Approach 1: using Logmon and a field delimiter


  1. New logmon profile, URL mode, looking at http://myserver/mailq.txt
  2. untick "generate quality of service"
  3. New watcher rule:
  4. match expression:     *,*  (look at any line with a comma in it)
  5. message:     test ${domain} : ${queue1} : ${queue2}
  6. New variables: domain (from column 1), queue1 (from column 2), queue2 (from column 3)
  7. field separator: ,  (comma)

What I hope: alarm messages, one per domain, each like:  "test example.org : 10 : 5"

What I get: a single message: "test OK  example.org : 0 : ${queue2}"


I vary this approach by:

  • setting the match expression to "/^.*$/" to match anything within a line (worse, now gives a single message "test : : ${queue2}").
  • Match expression to * (logmon probe jumps to 10-15% cpu but does nothing different with alarms)
  • Match expression blank (probe ramps to 25% cpu (one core maxed out) but does nothing different with alarms)
  • Playing with column numbers (are they counted 0,1,2 instead? no that's also not working)

 Approach 2: using regex groups


  1. Remove the above watcher rule, add a new one, match expression: /(.*),(\d+),(\d+)/
  2. Message: test ${domain} : ${queue1} : ${queue2}
  3. New variables, domain (match expresison 1), queue1 (match expression 2), queue2 (match expression 3)
  4. This time set the two queue variables expected value = 0

Expected result: the regex has three groups, they are used for the variables, one alarm message per domain, each message contains the domain and the two queue numbers.


Actual result: one message, content: the web page content. "test OK example.org,0,0 example.com...".


I have also varied the above tests trying on the real site, experimenting with trial and error on the match expression and the variable settings, and changing the line endings in my test file, and pointing it at the real live URL. I can get garbage out, or nothing, but not what I expect.


My suspion at the moment is that the logmon probe treats URL mode as a single line of content and cannot run through it line by line, or that I'm misunderstanding something fundamental in the setup.


Is there any way I can make this work?