afraid If I am boring you but I am not expert at all with regexp.
I have a log file formatted in this way:
2015-09-09-126.96.36.1994823+120 E311002400E915 LEVEL: Error
PID : 17204 TID : 140039667078912 PROC : db2acd 0
INSTANCE: db2inst1 NODE : 000 DB : ICMPLSDB
APPID : *LOCAL.db2inst1.150909112533
FUNCTION: DB2 UDB, Administrative Task Scheduler, AtsDbInfo::cleanupStaleEntries, probe:400
MESSAGE : ZRC=0xFFFFFDD9=-551
SQL0551N The statement failed because the authorization ID does not
have the required authorization or privilege to perform the
operation. Authorization ID: "". Operation: "". Object: "".
within this multilines I have to match "LEVEL: Error" and return as message the lines from MESSAGE until the end.
So I think I should on format rules set a regexp for the start expression that can match the date or just 2015 and on the end rule set blankline.
After that I should set watcher rules to match LEVEL: Error. So first of all i would need this two regexp... and then how can send on the message this multiline message? is it supported?
thank you for support