Skip to Content
Information
Unsupported content Version 2.7.41 of the product is in limited support, while version 2.7.44 is fully supported. This documentation includes content for both versions. You will not be able to leave comments for version 2.7.41.

 

Defining multiple search criteria for a text instance

The /PMG/CONFIG/ instanceName /actPatterns pconfig branch enables you to define multiple search criteria for a text instance. Each search criterion has a unique identifier (key) and collection of fields (value).

The key-value pair represents a search criterion. Each field in a search criterion is separated by the <Ctrl+B> character, as follows:

Not<Ctrl+B> string1 <Ctrl+B>Not<Ctrl+B> string2 <Ctrl+B> threshold#1 <Ctrl+B> state1 <Ctrl+B> threshold#2 <Ctrl+B> state2 <Ctrl+B> overrideDefSetting <Ctrl+B> customEventOrigin <Ctrl+B> customEventMsg <Ctrl+B> numRegEx <Ctrl+B> IgnoreDuplicateEventsForMinutes <Ctrl+B> pollingIntrvl

In the preceding format, numRegEx refers to a collection of fields that are separated by commas. The fields include:

  • firstNum
  • Op1
  • BeginToken
  • EndToken
  • Op2
  • SecondNum

For example, you configure search criterion for a text instance through the GUI having the following settings:

  • String1 ( string1): ERROR\\|INFO
    |SEVERE
  • String2 ( string2): Server.*, Not is selected for String2
  • Threshold#1 (threshold#1): 2 and the corresponding state is WARN
  • Threshold#2 (threshold#2): 6 and the corresponding state is ALARM
  • Custom Event Message (customEventMsg): This is a custom event %1-.
  • Custom Event Origin ( customEventOrigin): %APPCLASS%. %INSTANCE%.%SEARCHID%
  • First Number (firstNum): 15
  • Op1 (Op1): >=
  • Begin token (BeginToken ): 1
  • End token ( EndToken): 3
  • Op2 (Op2): >
  • Second Number ( SecondNum): 10
  • Ignore Duplicate Events For ... Minutes ( IgnoreDuplicateEventsForMinutes): 5
  • Polling Interval (Generate ALARM when pattern not found within ... polling intervals) ( pollingIntrvl): 2

You can configure the preceding search criterion for the text instance by using the following pconfig variable format:

0<Ctrl+B>ERROR\\|INFO
|SEVERE<Ctrl+B>1<Ctrl+B>Server.<Ctrl+B>2<Ctrl+B>3<Ctrl+B>6<Ctrl+B>4<Ctrl+B>1<Ctrl+B>%APPCLASS%.%INSTANCE%.%SEARCHID%<Ctrl+B> This is a custom event %1-<Ctrl+B>15,4,1,3,1,10<Ctrl+B>5<Ctrl+B>2

Using the preceding pconfig variable format, the lines that contain the regular expression, ERROR\\|INFO
|SEVERE, and that do not contain the regular expression, Server., are matched only if the lines contain a number that is greater than 10 and less than 15 between first and third columns (including both first and third).

If the number of matches found is between 2 and 5, WARNING events are generated. If the number of matches is 6 or more, ALARM events are generated. Generated custom events contain the custom event message.

 

Tip: For faster searching, add an asterisk to the end of your partial query. Example: cert*

BMC PATROL for Log Management 2.7