DX Unified Infrastructure Management

  • 1.  Multiline matching in logmon

    Posted Feb 07, 2008 02:56 AM
    Has anyone figured out the actual way to get these to work? I'd really appreciate someone posting a real-life example of a configuration on the forums as the nimbus docs aren't too specific on the matter.


  • 2.  Multiline matching in logmon

    Posted Feb 07, 2008 03:33 AM
    I think I have successfully configured the probe to group multiple lines as a single log message.  Are you wondering how to do that or how to make a watcher match a string or regular expression across the grouped lines?  I think all of the watchers we use are still fairly short and only cover a few words on one line.

    I can share the config we use for grouping, but I have a feeling that is not what you are looking for.  Let me know.

    Regards,
    Keith


  • 3.  Multiline matching in logmon

    Posted Feb 07, 2008 03:45 AM
    An example of how to make a format rule for a multiline message would be nice, also knowing how that string is presented to a watcher for regexp parsing. Let's say I have a logfile like:

    ERROR: ERRORTYPE (some debugdata)
    Company.Software.Module.DataAccessLayer.DAOException: Userfriendly error message ---> something.something, etc, blabber
    Stacktracestuff.more.of.this
       etc
       etc

    Should a format rule with a start expression of /\+)\].*/
    and an end expression of the same kind somehow 'wrap' the multiple rows? How do I actually handle them in the watcher if I restrict it to use the format rule above?
    Should i then match /\+)\] ERROR: (+) (+): (.*) --.*/
    or something like: /\+)\] ERROR: (+)\n(+):smileysad:.*) --.*/m

    BR,
     Sami


  • 4.  Multiline matching in logmon

    Posted Feb 07, 2008 04:48 AM
    Sami,

    Unfortunately, I think my example is probably much simpler than yours.  The end of a log message is marked by a blank line, so the configuration is fairly easy.  Here is the <formats> section from the config file:

          <formats>

             <MESSAGE>

                active = yes

                start = /./

                end = blankline

                lines = 0

             </MESSAGE>

          </formats>

    In your case, is there anything that tells you that you have reached the end of a particular log message?  Or do you know simply because you see the start of a new log message?  I noticed that in the config GUI, the end expr. option has checkbox next to it, indicating it is optional.  According to the help, you need an end expr. or a certain number of lines to include, so I am not sure if you can make a format that says to stop at the next log entry.

    As far as your example is concerned, I think your start expression would work, although I would simplify it to this: /^\+\]/

    You should not need the parenthesis since you are not extracting any variables with this expression.  There is no need end with .* since a regex is always a partial match unless you anchor it.  The ^ at the beginning is an anchor that would tell the regex that the [ character needs to be the first thing on the line.

    Because a regex only needs to be a partial match, that should simplify your options for your watcher(s).  For example, you might be able to do something as simple as /ERROR/ if you just want every message that contains the word "ERROR" anywhere in it.  I am not 100% sure if the watcher works regardless of which line contains the string, but I would expect it to (but might test to be sure).

    I hope this helps a little bit.  If you have more questions, please keep them coming.  The nice thing about logmon is that it is kind of easy to test.  You can copy a profile to make a test version of it and point it to some other file.  Then you can just add lines manually to that test file to find out if they match or not.

    Regards,
    Keith


  • 5.  Re: Multiline matching in logmon