Using regular expressions to create a search criterion to match multiple words

You can use regular expressions to search for multiple, discreet words in a log file. For example, you may want to search a log file for the following strings--Error, Warning, or Severe.

Before You Begin

You must be using the PATROL Central Operator - Windows Edition, PATROL Central Operator - Web Edition, or a PATROL Console in Developer mode. You can also add a text file to monitor by using the Log Management PATROL Configuration Manager plug-in as described in PATROL Agent Configuration Variables.

Creating a search criterion for multiple words

To set up a single search criterion to find multiple words

1. On the Configure Search Criteria: instanceName: Define Search Criterion dialog box, in the String1 text box, enter the words you want to search the log file for, separated by a backslash () followed by a vertical bar (|).
   For example, if you want to match any line in the log file that contains any combination of the words Error, Warning, or Severe, you would enter the search string as follows:
   Error\|Warning\|Severe
2. Fill out or modify the rest of the dialog box fields as described in Monitoring a text instance.

Searching a file for two or more complex messages

The simplest way to search for multiple complex strings is to create multiple search criteria for a file. Even though the Configure Search Criteria: instanceName dialog box contains only two string fields, you can search for multiple strings in a single log file by creating one log definition per discreet search string. Each defined search string is represented by an instance of the LOGT application and contains one or more instances of the monitored file.

If you want to monitor for multiple messages related to the CPU, DISK, memory, or other functions, you would create a log definition for each message rather than attempting to search for multiple messages using one definition.

Example: Monitoring the PATROL Agent Error log

The Log Management monitors the PATROL Agent Error log by using two log definitions labeled PAgentLog_Warn and PAgentLog_Alarm. As an example of how you can use two definitions to monitor a single file, this section illustrates the process of setting up these two log definitions for the PATROL Agent error log.

The PAgentLog_Warn definition is configured to search for any of the following messages in the agent error log:

• remaining for PATROL license to expire
• Not authorized connect agent
• Please check parameter history for corruption
• PatrolAgent-E-EFORK: Couldn't fork a new process

If any of these strings are found in the agent error log, the KM generates a WARN event.

To set up the PAgentLog_Warn definition

1. Access the LOG application menu as described in Accessing Menu Commands, InfoBoxes, and Online Help.
2. Select Add Instance.
3. In the Add Instance dialog box, enter PAgent_Warn in the Enter Label for New File to be Added text box.
4. Click Accept.
5. In the Add File for Label: instanceName dialog box, enter $PATROL_HOME/log/PatrolAgent- hostname-port_number .errs in the File/Pipe Name text box.
6. Select Text File as the File Type option.
7. Click Next.
8. On the Configure Search Criteria: instanceName dialog box: Define Search Criterion, define a unique identification label for the search criterion.
9. In the String1 field, enter the following string:
   \(remaining for PATROL license to expire\)\|\(Not authorized connect agent\)|\(Please check parameter history for corruption\)\|\(PatrolAgent-E-EFORK: Couldn't fork a new process\)
10. Click Next.
11. In the Configure Search Criteria: instanceName: Override Default Settings dialog box, do the required changes and click Next.
12. In the Configure Search Criteria: instanceName: Summary dialog box, click Finish.
    Now add the log file definition for PAgentLog_Alarm.
    
    The PAgentLog_Alarm definition is configured to search for any of the following messages in the agent error log:

• found inconsistencies
• PatrolAgent-W-EINTERNAL: PatrolAgent is running low on memory
• PatrolAgent: not superuser
• Please check parameter history for corruption
• runqSchedPolicy is now set to 9
• Detected during operation readRec.fseek

If any of these strings are found in the agent error log, the KM generates an ALARM event.

To set up the PAgentLog_Alarm definition

1. Access the LOG application menu as described in Accessing Menu Commands, InfoBoxes, and Online Help.
2. Select Add Instance.
3. In the Add Instance dialog box, select Text Instance and enter PAgent_Alarm in the Enter Label for New File to be Added text box.
4. Click Accept.
5. In the Add File for Label: instanceName dialog box, enter $PATROL_HOME/log/PatrolAgent- hostname-port_number .errs in the File/Pipe Name text box.
6. Select the file type option, Text File.
7. Click Next.
8. On the Configure Search Criteria: instanceName: Define Search Criterion dialog box, define a unique identification label for the search criterion.
9. In the String1 text box, enter the following string:
   \(found inconsistencies\)\|\(PatrolAgent-W-EINTERNAL: PatrolAgent is running low on memory\)\|\(PatrolAgent: not superuser\)\|\(Please check parameter history for corruption\)\|\(runqSchedPolicy is now set to 9\)\|\(Detected during operation readRec.fseek\)
10. Click Next.
11. In the Configure Search Criteria: instanceName: Override Default Settings dialog box, do the required changes and click Next.
12. In the Configure Search Criteria: instanceName: Summary dialog box, click Finish.
    PATROL adds the log file to the list of monitored log files.