DX Unified Infrastructure Management

I'm trying to figure out the best way to generate a logmon alarm if two strings are present in a log file when it is polled.  Has anyone ever done this?  The strings I'm looking for could be separated by hundreds of other entries between them.  I've played around using triggers and two separate log watchers, but the trigger seems to allow the alerts to pass and then I get the AO profile alarm kicked off by the triggers also.  I'm looking for a single alarm when the two strings are present in the same polling period.

Thanks,

Larry

Hi Larry,

You could try this as this regex uses an AND operator.

/(.*string1.*)(.*string2.*)/

Regards,

Steve

That regex only works on one line.

My suggestion would actually be to script this and to use logmon to run that script. That would put you in complete control of the logic used instead of trying to figure out how to simulate it with logmon.

As it is, you are dependant on logmon reading the log file is such a way that it gets the two strings.

If trying to do this fully within UIM, then you'll need to deal with three alarms: text string 1 occuring, text string 2 occuring, and an alarm you create where string 1 and string 2 exist

You can use triggers to keep track of the strings occuring alarms but really, if you ignore the name, a trigger is just a pre calculated list of alarms that match a criteria. Makes it faster to get at them if you have a slow nas or a lot of alerts.

Otherwise, you would have an on arrival script that matches the alarms for these two strings and if only none or one of them exists, it closes the "Both strings exists" alarm that you create otherwise if both exists, is creates the "Both strings exist" alarm. 

Search for "correlation" and you should find some examples.

Hi Steve,

The AND doesn't seem to work in logmon expression field.

I setup a test file with the following entries.

TestOne

TestTwo

TestThree

TestFour

TestFive

I first tried /(TestOne)(TestFive)/ with no luck.  Also, various combinations with ^, $, .*

I then moved TestFive up to the first line

TestOne TestFive and still no luck with the expression above.

But, if I put /TestOne TestFive/ it works fine.  But as I expected, it only works if both are on the same line.  Any idea why the AND didn't work even on the singe line?

Thanks,

Larry

The regex /(.*string1.*)(.*string2.*)/ translates to the following:

Begin capture one, assign to capture one the longest text string that starts with zero or more characters, is followed by string1 and then followed by the longest text string of zero or more characters followed by the longest text string of zero or more characters followed by string2 followed by the longest text string of zero or more characters. When the start of the last occurence of string2 in the test string is found, stop capture one and begin capture two and assign it the text string2 followed by the rest of the string.

This isn't really an "and" statement and it doesn't span multiple lines of the log file.

As it is today, there is no way to do that. The first step of it, if it did work, would be to establish a format that identified a block of text that included both lines.

Possibly you could establish the format with "string1" identifying the start of the text block and string2 identifying the end of the block. Then have a watcher that identified text that was known to be in the block - like string 1.

regexpal.com is a nice resource for testing regex patterns and some help on patterns in general.

Thanks for the suggestions Garin.  Deploying a script to the system isn't going to be an option.  I'll have to do it within UIM, so it is disappointing I couldn't handle it within the logmon profile itself.  I'll probably just use two logmon watchers to set triggers and then after the AO profile generates the correlated alarm, go back and close the two individual ones.

Larry