I'm trying to capture GET_THIS_MATCH (the text could differ) in a log-file.
So what I want my regex to do, is to capture anyting behind the word "submitted" until the next "/".
Library QBRM added to library list.
Job 000000/USER/GET_THIS_MATCH submitted to job queue QSYSNOMAX in library QSYS.
I have this one now: (?<=\/)(\S+)\ssubmitted
But that get's me all the way to the first "/"... this is in a regex-tester though, but doesn't work in Logmon when I test the profile. Why?
I also need watcher that looks if there isn't anything in the log with ".../GET_THIS_MATCH submitted.....". And I need those to have the same suppression
Would really appreciate some help here
wouldn't simply /USER\/(.*?)\ssubmitted/ do?
alternatively if USER may be different, then /.*\/(.*?)\ssubmitted/
Thx for the reply.
Well, no :/ It works in a regex-tester. But not in Logmon.
Do I need any format rules? The log-file has 3 lines, the last one is empty with a new line. Is this a problem?
1. Library QBRM added to library list.
2. Job 000000/USER/GET_THIS_MATCH submitted to job queue QSYSNOMAX in library QSYS.
3. <new line>
No I think you really should be fine with that
No success here :/Do you have any idea how I should monitor this when something else will show in the log?It could e.g be:Authentication failed for user USER2.
But It could be alot of other things as well. So I need to caputre anything accept what is in my log-file now (GET_THIS_MATCH submitted...... ).
Catch the 3rd group in a variable...and you can work then...
Thx for your reply!!I think this would fit better:
and capturing the third group.
Well anyway, I think my biggest problem now is to solve how to catch the log-file and generate an alarm if NOT this part is in the log. So a reverse regex somehow, for anything else, except:
Can you use a negative lookahead? Like:/(?!Job\s(\d+)\/(\w+)\/(\w+)\ssubmitted)/
Once you have the watcher regex defined so that only the wanted lines are matched you can define variables in thay watcher (example variable from4 where you define that it's from the 4th word till the end of the line)
This variable can be used in your alarm message
Can you keep it simple?
So match a /, then capture anything that is not a / followed by <space>submitted.
Sorry but I don't have a logmon instance here to test against.
So this was my solution:
I did a simple regex match, not only beause alot of other regex didn't work (worked in my regex-tester but not in Logmon), but this one also included the whole job, with the "job number/user/job name" (e.g. 123456/USER/JOBNAME)
Caputuring the first and only group, with the variable "Match expression": 123456/USER/JOBNAME
When I capture this regex, everything is fine, in this case this means that my backup-job is submitted to another partition (IBMi/iSeries).
The next thing I did to capture this if it DIDN'T match, was to use the advanced tab.
Here I checked the "match on every run", with a "Send clear alarm". This means that if my regex does match, the alarm will clear. Though if it doesn't match, it will use the "message to send" I added in the Standard tab.
Maybe this will help someone else struggling with how to clear or generate an alarm with the same watcher-profile.