[hobbit] how to search for exact word patterns
Josh Luthman
josh at imaginenetworksllc.com
Fri Sep 18 21:44:34 CEST 2009
I thought it was a dot from the example from help.
Josh Luthman
Office: 937-552-2340
Direct: 937-552-2343
1100 Wayne St
Suite 1337
Troy, OH 45373
"When you have eliminated the impossible, that which remains, however
improbable, must be the truth."
--- Sir Arthur Conan Doyle
On Fri, Sep 18, 2009 at 3:08 PM, Greg Hubbard <glh.forums at gmail.com> wrote:
> Yes -- you only need one % at the beginning of your string to tell Xymon
> you are going to use a regular expression. You do not need the other %
> unless they are expected to appear in the log.
>
> When using a regular expression, the | character means "or". So if your
> example will "fire" if any message contains and of those words. Also you
> seem to be using * by itself, which means "match the preceding 0 or more
> times". Normally we use "dot star" ".*" to mean "match anything no matter
> how long."
>
> Regular expressions are a bit of a mystery, but are very powerful. Xymon
> uses Perl-compatible regular expressons (PCRE) so you might be able to
> Google some examples.
>
> If you are searching for "Out of memory" in a log file, you can use "%Out
> of memory" as your regex string. I do not remember how you deal with spaces
> in the string and the Xymon help is not helpful. One way to do it would be
> to change your spaces into \s+ so it would be %Out\s+of\s+memory which
> removes the embedded spaces (so the Xymon parser does not think part of your
> regex is some other token on the commend) and also means that you will match
> of the is at least one whitespace character between each word -- slightly
> more robust than using a single space.
>
> I know the above is a jumble, but if you will post the exact string you
> want to match we can help you create the matching expression to help you get
> the hang of it.
>
> GLH
>
> On 9/18/09, Camelia Anghel <canghel at cjh.org> wrote:
>>
>> Right now looks like this:
>>
>>
>>
>> LOG /var/log/messages %failure*|%failed*|%error*|%Warning*|%memory*
>> Color=Red
>>
>>
>>
>> But if I type
>>
>> LOG /var/log/messages %failure*|%failed*|%error*|%Warning*|%out of
>> memory* Color=Red
>>
>>
>>
>> I’m getting all the messages that have one of these words: out or of or
>> memory somewhere in their string.
>>
>>
>>
>> Camelia
>>
>> -----Original Message-----
>> *From:* Greg Hubbard [mailto:glh.forums at gmail.com]
>> *Sent**:* Friday, September 18, 2009 1:25 PM
>> *To:* hobbit at hswn.dk
>> *Subject:* Re: [hobbit] how to search for exact word patterns
>>
>>
>>
>> Try making it a regex (with % prefix) instead of "simple" expression.
>>
>> On 9/18/09, *Camelia Anghel* <canghel at cjh.org> wrote:
>>
>> Did that but it look for all messages that have one of the 3 words
>>
>> Thanks anyway
>>
>> Camelia
>>
>>
>>
>> -----Original Message-----
>> *From:* Josh Luthman [mailto:josh at imaginenetworksllc.com]
>> *Sent:* Friday, September 18, 2009 11:22 AM
>> *To:* hobbit at hswn.dk
>> *Subject:* Re: [hobbit] how to search for exact word patterns
>>
>>
>>
>> I think it's:
>>
>> HOST=my.host.com
>> LOG /var/log/messages "out of memory" COLOR=red
>>
>> Not tested.
>>
>> Josh Luthman
>> Office: 937-552-2340
>> Direct: 937-552-2343
>> 1100 Wayne St
>> Suite 1337
>> Troy, OH 45373
>>
>> "When you have eliminated the impossible, that which remains, however
>> improbable, must be the truth."
>> --- Sir Arthur Conan Doyle
>>
>> On Fri, Sep 18, 2009 at 9:26 AM, Camelia Anghel <canghel at cjh.org> wrote:
>>
>>
>> Hello all,
>> I am trying to set up an alert to search for exact word patterns in
>> /var/log/messages. For example: "Out of Memory"
>>
>> Any help would be appreciated.
>>
>> Thanks,
>> Camelia
>>
>> To unsubscribe from the hobbit list, send an e-mail to
>> hobbit-unsubscribe at hswn.dk
>>
>>
>>
>>
>>
>>
>> --
>> Disclaimer: 1) all opinions are my own, 2) I may be completely wrong, 3)
>> my advice is worth at least as much as what you are paying for it, or your
>> money cheerfully refunded.
>>
>
>
>
> --
> Disclaimer: 1) all opinions are my own, 2) I may be completely wrong, 3)
> my advice is worth at least as much as what you are paying for it, or your
> money cheerfully refunded.
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.xymon.com/pipermail/xymon/attachments/20090918/1db3831d/attachment.html>
More information about the Xymon
mailing list