Multiline matching in logmon

    Posted 02-07-2008 02:56 AM
    Has anyone figured out the actual way to get these to work? I'd really appreciate someone posting a real-life example of a configuration on the forums as the nimbus docs aren't too specific on the matter.

    Posted 02-07-2008 03:33 AM
    I think I have successfully configured the probe to group multiple lines as a single log message.  Are you wondering how to do that or how to make a watcher match a string or regular expression across the grouped lines?  I think all of the watchers we use are still fairly short and only cover a few words on one line.

    I can share the config we use for grouping, but I have a feeling that is not what you are looking for.  Let me know.


    Posted 02-07-2008 03:45 AM
    An example of how to make a format rule for a multiline message would be nice, also knowing how that string is presented to a watcher for regexp parsing. Let's say I have a logfile like:

    ERROR: ERRORTYPE (some debugdata)
    Company.Software.Module.DataAccessLayer.DAOException: Userfriendly error message ---> something.something, etc, blabber

    Should a format rule with a start expression of /\+)\].*/
    and an end expression of the same kind somehow 'wrap' the multiple rows? How do I actually handle them in the watcher if I restrict it to use the format rule above?
    Should i then match /\+)\] ERROR: (+) (+): (.*) --.*/
    or something like: /\+)\] ERROR: (+)\n(+):smileysad:.*) --.*/m


    Posted 02-07-2008 04:48 AM

    Unfortunately, I think my example is probably much simpler than yours.  The end of a log message is marked by a blank line, so the configuration is fairly easy.  Here is the <formats> section from the config file:



                active = yes

                start = /./

                end = blankline

                lines = 0



    In your case, is there anything that tells you that you have reached the end of a particular log message?  Or do you know simply because you see the start of a new log message?  I noticed that in the config GUI, the end expr. option has checkbox next to it, indicating it is optional.  According to the help, you need an end expr. or a certain number of lines to include, so I am not sure if you can make a format that says to stop at the next log entry.

    As far as your example is concerned, I think your start expression would work, although I would simplify it to this: /^\+\]/

    You should not need the parenthesis since you are not extracting any variables with this expression.  There is no need end with .* since a regex is always a partial match unless you anchor it.  The ^ at the beginning is an anchor that would tell the regex that the [ character needs to be the first thing on the line.

    Because a regex only needs to be a partial match, that should simplify your options for your watcher(s).  For example, you might be able to do something as simple as /ERROR/ if you just want every message that contains the word "ERROR" anywhere in it.  I am not 100% sure if the watcher works regardless of which line contains the string, but I would expect it to (but might test to be sure).

    I hope this helps a little bit.  If you have more questions, please keep them coming.  The nice thing about logmon is that it is kind of easy to test.  You can copy a profile to make a test version of it and point it to some other file.  Then you can just add lines manually to that test file to find out if they match or not.


