[hobbit] how to search for exact word patterns

Josh Luthman josh at imaginenetworksllc.com
Fri Sep 18 21:56:00 CEST 2009


Wouldn't that work for you at least at this point?

On 9/18/09, Ryan Novosielski <novosirj at umdnj.edu> wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> "." is a single character.
>
> Josh Luthman wrote:
>> I thought it was a dot from the example from help.
>>
>> Josh Luthman
>> Office: 937-552-2340
>> Direct: 937-552-2343
>> 1100 Wayne St
>> Suite 1337
>> Troy, OH 45373
>>
>> "When you have eliminated the impossible, that which remains, however
>> improbable, must be the truth."
>> --- Sir Arthur Conan Doyle
>>
>>
>> On Fri, Sep 18, 2009 at 3:08 PM, Greg Hubbard <glh.forums at gmail.com
>> <mailto:glh.forums at gmail.com>> wrote:
>>
>>     Yes -- you only need one % at the beginning of your string to tell
>>     Xymon you are going to use a regular expression.  You do not need
>>     the other % unless they are expected to appear in the log.
>>
>>     When using a regular expression, the | character means "or".  So if
>>     your example will "fire" if any message contains and of those
>>     words.  Also you seem to be using * by itself, which means "match
>>     the preceding 0 or more times".  Normally we use "dot star" ".*" to
>>     mean "match anything no matter how long."
>>
>>     Regular expressions are a bit of a mystery, but are very powerful.
>>     Xymon uses Perl-compatible regular expressons (PCRE) so you might be
>>     able to Google some examples.
>>
>>     If you are searching for "Out of memory" in a log file, you can use
>>     "%Out of memory" as your regex string.  I do not remember how you
>>     deal with spaces in the string and the Xymon help is not helpful.
>>     One way to do it would be to change your spaces into \s+ so it would
>>     be %Out\s+of\s+memory  which removes the embedded spaces (so the
>>     Xymon parser does not think part of your regex is some other token
>>     on the commend) and also means that you will match of the is at
>>     least one whitespace character between each word -- slightly more
>>     robust than using a single space.
>>
>>     I know the above is a jumble, but if you will post the exact string
>>     you want to match we can help you create the matching expression to
>>     help you get the hang of it.
>>
>>     GLH
>>
>>     On 9/18/09, *Camelia Anghel* <canghel at cjh.org
>>     <mailto:canghel at cjh.org>> wrote:
>>
>>         Right now looks like this:
>>
>>
>>
>>         LOG /var/log/messages
>>         %failure*|%failed*|%error*|%Warning*|%memory*  Color=Red
>>
>>
>>
>>         But if I type
>>
>>         LOG /var/log/messages %failure*|%failed*|%error*|%Warning*|%out
>>         of memory* Color=Red
>>
>>
>>
>>         I’m getting all the messages that have one of these words: out
>>         or of or memory somewhere in their string.
>>
>>
>>
>>         Camelia
>>
>>         -----Original Message-----
>>         *From:* Greg Hubbard [mailto:glh.forums at gmail.com
>>         <mailto:glh.forums at gmail.com>]
>>         *Sent**:* Friday, September 18, 2009 1:25 PM
>>         *To:* hobbit at hswn.dk <mailto:hobbit at hswn.dk>
>>         *Subject:* Re: [hobbit] how to search for exact word patterns
>>
>>
>>
>>         Try making it a regex (with % prefix) instead of "simple"
>>         expression.
>>
>>         On 9/18/09, *Camelia Anghel* <canghel at cjh.org
>>         <mailto:canghel at cjh.org>> wrote:
>>
>>         Did that but it look for all messages that have one of the 3 words
>>
>>         Thanks anyway
>>
>>         Camelia
>>
>>
>>
>>         -----Original Message-----
>>         *From:* Josh Luthman [mailto:josh at imaginenetworksllc.com
>>         <mailto:josh at imaginenetworksllc.com>]
>>         *Sent:* Friday, September 18, 2009 11:22 AM
>>         *To:* hobbit at hswn.dk <mailto:hobbit at hswn.dk>
>>         *Subject:* Re: [hobbit] how to search for exact word patterns
>>
>>
>>
>>         I think it's:
>>
>>         HOST=my.host.com <http://my.host.com/>
>>             LOG /var/log/messages "out of memory" COLOR=red
>>
>>         Not tested.
>>
>>         Josh Luthman
>>         Office: 937-552-2340
>>         Direct: 937-552-2343
>>         1100 Wayne St
>>         Suite 1337
>>         Troy, OH 45373
>>
>>         "When you have eliminated the impossible, that which remains,
>>         however improbable, must be the truth."
>>         --- Sir Arthur Conan Doyle
>>
>>         On Fri, Sep 18, 2009 at 9:26 AM, Camelia Anghel <canghel at cjh.org
>>         <mailto:canghel at cjh.org>> wrote:
>>
>>
>>         Hello all,
>>         I am trying to set up an alert to search for exact word patterns
>> in
>>         /var/log/messages.  For example: "Out of Memory"
>>
>>         Any help would be appreciated.
>>
>>         Thanks,
>>         Camelia
>>
>>         To unsubscribe from the hobbit list, send an e-mail to
>>         hobbit-unsubscribe at hswn.dk <mailto:hobbit-unsubscribe at hswn.dk>
>>
>>
>>
>>
>>
>>
>>         --
>>         Disclaimer:  1) all opinions are my own, 2) I may be completely
>>         wrong, 3) my advice is worth at least as much as what you are
>>         paying for it, or your money cheerfully refunded.
>>
>>
>>
>>
>>     --
>>     Disclaimer:  1) all opinions are my own, 2) I may be completely
>>     wrong, 3) my advice is worth at least as much as what you are paying
>>     for it, or your money cheerfully refunded.
>>
>>
>
>
> - --
>  ---- _  _ _  _ ___  _  _  _
>  |Y#| |  | |\/| |  \ |\ |  | |Ryan Novosielski - Systems Programmer II
>  |$&| |__| |  | |__/ | \| _| |novosirj at umdnj.edu - 973/972.0922 (2-0922)
>  \__/ Univ. of Med. and Dent.|IST/CST - NJMS Medical Science Bldg - C630
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.9 (GNU/Linux)
> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
>
> iEYEARECAAYFAkqz5OQACgkQmb+gadEcsb6/AQCeMHINp1FT58/yxJhGDV9jjDYf
> 2UQAoJOd++iahFVlFX1RNwrgarLQ03lT
> =0XEa
> -----END PGP SIGNATURE-----
>
>
>


-- 
Josh Luthman
Office: 937-552-2340
Direct: 937-552-2343
1100 Wayne St
Suite 1337
Troy, OH 45373

"When you have eliminated the impossible, that which remains, however
improbable, must be the truth."
--- Sir Arthur Conan Doyle



More information about the Xymon mailing list