DX Infrastructure Manager

Expand all | Collapse all

Logmon regex with watcher

Jump to Best Answer
  • 1.  Logmon regex with watcher

    Posted 01-29-2016 08:16 AM

    I'm trying to capture GET_THIS_MATCH (the text could differ) in a log-file.

     

    So what I want my regex to do, is to capture anyting behind the word "submitted" until the next "/".

     

    The logfile:

    Library QBRM added to library list.

    Job 000000/USER/GET_THIS_MATCH submitted to job queue QSYSNOMAX in library QSYS.

     

    I have this one now: (?<=\/)(\S+)\ssubmitted

    But that get's me all the way to the first "/"... this is in a regex-tester though, but doesn't work in Logmon when I test the profile. Why?

     

     

    I also need watcher that looks if there isn't anything in the log with ".../GET_THIS_MATCH submitted.....". And I need those to have the same suppression

    Would really appreciate some help here



  • 2.  Re: Logmon regex with watcher

    Posted 02-01-2016 05:04 AM

    Someone please?



  • 3.  Re: Logmon regex with watcher

    Posted 02-01-2016 03:22 PM

    wouldn't simply /USER\/(.*?)\ssubmitted/ do?

     

    alternatively if USER may be different, then /.*\/(.*?)\ssubmitted/



  • 4.  Re: Logmon regex with watcher

    Posted 02-02-2016 03:29 AM

    Hi John,

     

    Thx for the reply.

    Well, no :/ It works in a regex-tester. But not in Logmon.

    Do I need any format rules? The log-file has 3 lines, the last one is empty with a new line. Is this a problem?

     

    The logfile:

    1. Library QBRM added to library list.

    2. Job 000000/USER/GET_THIS_MATCH submitted to job queue QSYSNOMAX in library QSYS.

    3. <new line>



  • 5.  Re: Logmon regex with watcher

    Posted 02-02-2016 10:30 AM

    No I think you really should be fine with that



  • 6.  Re: Logmon regex with watcher

    Posted 02-02-2016 10:51 AM

    No success here :/
    Do you have any idea how I should monitor this when something else will show in the log?
    It could e.g be:
    Authentication failed for user USER2.

    But It could be alot of other things as well. So I need to caputre anything accept what is in my log-file now (GET_THIS_MATCH submitted...... ).



  • 7.  Re: Logmon regex with watcher

    Posted 02-02-2016 10:58 AM

    /^Job\s(\d+)\/(w+)\/(.*)/

     

    Catch the 3rd group in a variable...and you can work then...



  • 8.  Re: Logmon regex with watcher

    Posted 02-03-2016 08:27 AM

    Thx for your reply!!
    I think this would fit better:

    /Job\s(\d+)\/(\w+)\/(\w+)\ssubmitted/

    and capturing the third group.

     

    Well anyway, I think my biggest problem now is to solve how to catch the log-file and generate an alarm if NOT this part is in the log. So a reverse regex somehow, for anything else, except:

    Library QBRM added to library list.

    Job 000000/USER/GET_THIS_MATCH submitted to job queue QSYSNOMAX in library QSYS.

     

    Can you use a negative lookahead? Like:
    /(?!Job\s(\d+)\/(\w+)\/(\w+)\ssubmitted)/



  • 9.  Re: Logmon regex with watcher

    Posted 02-04-2016 01:58 AM

    Once you have the watcher regex defined so that only the wanted lines are matched you can define variables in thay watcher (example variable from4 where you define that it's from the 4th word till the end of the line)

    This variable can be used in your alarm message



  • 10.  Re: Logmon regex with watcher

    Posted 02-05-2016 03:54 AM

    Can you keep it simple?

     

    \/([^/]+)\s+submitted

     

    So match a /, then capture anything that is not a / followed by <space>submitted.

     

    Sorry but I don't have a logmon instance here to test against.



  • 11.  Re: Logmon regex with watcher
    Best Answer

    Posted 02-05-2016 07:30 AM

    So this was my solution:

     

    I did a simple regex match, not only beause alot of other regex didn't work (worked in my regex-tester but not in Logmon), but this one also included the whole job, with the "job number/user/job name" (e.g. 123456/USER/JOBNAME)

    My regex:

    /Job\s(.*)\ssubmitted/

    Caputuring the first and only group, with the variable "Match expression": 123456/USER/JOBNAME

    When I capture this regex, everything is fine, in this case this means that my backup-job is submitted to another partition (IBMi/iSeries).

     

    The next thing I did to capture this if it DIDN'T match, was to use the advanced tab.

    Here I checked the "match on every run", with a "Send clear alarm". This means that if my regex does match, the alarm will clear. Though if it doesn't match, it will use the "message to send" I added in the Standard tab.

     

    Maybe this will help someone else struggling with how to clear or generate an alarm with the same watcher-profile.