We have a requirement as below.
If there is a string "because it is being used by another process" in the log content and followed by another string "Email Sent" in the next immediate line (next immediate log entry), the alarm should not generate. However, if the string "because it is being used by another process" is not in the log entry and having the "Email Sent" in the next immediate line should generate the alarm.
Example Log Entry to not generate the alarm
2019/05/15 14:25:32 frmJob.DataProcessStart: frmJob.DataProcessUnzipAndArchiveZip: ZipUtility.unzip: The process cannot access the file 'D:\FileNet\Applications\DataImEx\eSubToBFO\Process\XYZ.zip' because it is being used by another process.2019/05/15 14:25:33 Email Sent
Example Log Entry to generate the alarm
2019/05/15 14:25:32 frmJob.DataProcessStart: frmJob.DataProcessUnzipAndArchiveZip: ZipUtility.unzip: The process cannot access the file 'D:\FileNet\Applications\DataImEx\eSubToBFO\Process\XYZ.zip' because it is not available in the path.2019/05/15 14:25:33 Email Sent
Please help me with the RegEx to handle the above two scenarios.
Seems that you don't need to match that whole string and may not even need all of this: not available in the path
Search the file for the smallest unique string and use that for your match.
This doc has been my greatest help:
REGEX: Part 1 - The Basics - CA Knowledge
Thank you David. Here, I am not able to achieve the requirement with basic RegEx.
More information --> Log file contains Email Sent string in most of the log entries and the requirement is to avoid alarming if the Email Sent string appears in the log entry after a "because it is being used by another process" string in the preceding log entry. For rest of the Email Sent entries should generate alarm irrespective of the preceding log entry content.
so is it
alarm only when this shows up because it is not available in the path.
and the prior line has Email Sent
and two lines before does not have because it is being used by another process.
yeah, don't know how to set that up, or have the time to work through it.
Perhaps one of the other communities members with regex experience knows.
However keep in mind in two days on the 24th, communities is read only in preparation for the migration from ca.com to broadcom.com.
Logmon doesn't support regex that spans multiple lines. That is the source of your problem.
As such there are three ways to go about working around this:
1. Not seeing the whole file it's hard to know what else is in it but logmon supports setting up "Format RUles" where you can essentially redefine what a line is - It looks like the beginning of the line could be defined by a date followed by two words that are not "Email Sent" and the end of the line could be defined by a date and "Email Sent"
Then you can build watcher regex against those blocks of text.
2. Do this in a command - it wouldn't be impossible to write a powershell script that looked for patterns matching your logic and kept track of where it was in the file. Then you have logmon run that.
3. Change the logging of the process you are trying to monitor so that it outputs an easily identifiable message