[hobbit] how to search for exact word patterns
Greg Hubbard
glh.forums at gmail.com
Mon Sep 21 22:04:28 CEST 2009
Glad to be of service, and thank you very much for posting the results in
case others are interested!
GLH
On 9/21/09, Camelia Anghel <canghel at cjh.org> wrote:
>
> Greg,
>
> That worked!!!
>
> Thanks a lot!
>
> Camelia
>
>
>
> -----Original Message-----
> *From:* Greg Hubbard [mailto:glh.forums at gmail.com]
> *Sent:* Friday, September 18, 2009 3:09 PM
> *To:* hobbit at hswn.dk
> *Subject:* Re: [hobbit] how to search for exact word patterns
>
>
>
> Yes -- you only need one % at the beginning of your string to tell Xymon
> you are going to use a regular expression. You do not need the other %
> unless they are expected to appear in the log.
>
>
>
> When using a regular expression, the | character means "or". So if your
> example will "fire" if any message contains and of those words. Also you
> seem to be using * by itself, which means "match the preceding 0 or more
> times". Normally we use "dot star" ".*" to mean "match anything no matter
> how long."
>
>
>
> Regular expressions are a bit of a mystery, but are very powerful. Xymon
> uses Perl-compatible regular expressons (PCRE) so you might be able to
> Google some examples.
>
>
>
> If you are searching for "Out of memory" in a log file, you can use "%Out
> of memory" as your regex string. I do not remember how you deal with spaces
> in the string and the Xymon help is not helpful. One way to do it would be
> to change your spaces into \s+ so it would be %Out\s+of\s+memory which
> removes the embedded spaces (so the Xymon parser does not think part of your
> regex is some other token on the commend) and also means that you will match
> of the is at least one whitespace character between each word -- slightly
> more robust than using a single space.
>
>
> I know the above is a jumble, but if you will post the exact string you
> want to match we can help you create the matching expression to help you get
> the hang of it.
>
>
>
> GLH
>
>
> On 9/18/09, *Camelia Anghel* <canghel at cjh.org> wrote:
>
> Right now looks like this:
>
>
>
> LOG /var/log/messages %failure*|%failed*|%error*|%Warning*|%memory*
> Color=Red
>
>
>
> But if I type
>
> LOG /var/log/messages %failure*|%failed*|%error*|%Warning*|%out of memory*
> Color=Red
>
>
>
> I’m getting all the messages that have one of these words: out or of or
> memory somewhere in their string.
>
>
>
> Camelia
>
> -----Original Message-----
> *From:* Greg Hubbard [mailto:glh.forums at gmail.com]
> *Sent:* Friday, September 18, 2009 1:25 PM
> *To:* hobbit at hswn.dk
> *Subject:* Re: [hobbit] how to search for exact word patterns
>
>
>
> Try making it a regex (with % prefix) instead of "simple" expression.
>
> On 9/18/09, *Camelia Anghel* <canghel at cjh.org> wrote:
>
> Did that but it look for all messages that have one of the 3 words
>
> Thanks anyway
>
> Camelia
>
>
>
> -----Original Message-----
> *From:* Josh Luthman [mailto:josh at imaginenetworksllc.com]
> *Sent:* Friday, September 18, 2009 11:22 AM
> *To:* hobbit at hswn.dk
> *Subject:* Re: [hobbit] how to search for exact word patterns
>
>
>
> I think it's:
>
> HOST=my.host.com
> LOG /var/log/messages "out of memory" COLOR=red
>
> Not tested.
>
> Josh Luthman
> Office: 937-552-2340
> Direct: 937-552-2343
> 1100 Wayne St
> Suite 1337
> Troy, OH 45373
>
> "When you have eliminated the impossible, that which remains, however
> improbable, must be the truth."
> --- Sir Arthur Conan Doyle
>
> On Fri, Sep 18, 2009 at 9:26 AM, Camelia Anghel <canghel at cjh.org> wrote:
>
>
> Hello all,
> I am trying to set up an alert to search for exact word patterns in
> /var/log/messages. For example: "Out of Memory"
>
> Any help would be appreciated.
>
> Thanks,
> Camelia
>
> To unsubscribe from the hobbit list, send an e-mail to
> hobbit-unsubscribe at hswn.dk
>
>
>
>
>
>
> --
> Disclaimer: 1) all opinions are my own, 2) I may be completely wrong, 3)
> my advice is worth at least as much as what you are paying for it, or your
> money cheerfully refunded.
>
>
>
>
> --
> Disclaimer: 1) all opinions are my own, 2) I may be completely wrong, 3)
> my advice is worth at least as much as what you are paying for it, or your
> money cheerfully refunded.
>
--
Disclaimer: 1) all opinions are my own, 2) I may be completely wrong, 3) my
advice is worth at least as much as what you are paying for it, or your
money cheerfully refunded.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.xymon.com/pipermail/xymon/attachments/20090921/b4720379/attachment.html>
More information about the Xymon
mailing list