logmon Hints and Examples

Constructing regular expression and pattern matching requires meta characters such as * and ?. The probe supports Perl Compatible Regular Expressions (PCRE) which are enclosed in forward slash (/). For example, the expression /[0-9A-C]/ matches any character in the range 0 to 9 in the target string.
uimpga-ga
Constructing regular expression and pattern matching requires meta characters such as * and ?. The probe supports Perl Compatible Regular Expressions (PCRE) which are enclosed in forward slash
 (/)
. For example, the expression 
/[0-9A-C]/
 matches any character in the range 
to 
in the target string.
You can also use simple text with wild card operators for matching the target string. For example, the *
test
* expression matches the text 
test
 in the target string.
Contents
Regular Expression Construct Rules
The following table lists various rules and constructs for creating regex and pattern matching.
The probe performance depends on the regular expression. For example, a narrow down regular expression utilizes low CPU resources than a generic regular expression.
S. No.
Meta Character
Description
Sample Log File Text
Result Using "/"
Result Using "*"
Examples without regex
(Enclosed without "/")
1.
[ ] Square Brackets
Match anything inside the square brackets for only one character position
Sample 1:
“CA UIM12 is a CA product”
Sample 2:
“CA UIMIM0123456 is a CA product” 
Expression 
*[12]
*
returns:
Sample 1: 
The expression 
/[12]/
matches the target to 1. If it does not match, then it matches the target to
2
.
Sample 2: 
The expression /[0123456789]/ match with any character in the range 0 to 9
.
Expression 
*[12]*
returns:
Match
 for the
whole string
 for both 
Sample 1
and 
Sample 2.
Not recommended to use this meta character without “/” as it can result in unexpected match results.
2.
- Dash
Defines range for the target string when used within square brackets. For example, 
[0123456789]
 can be written as 
[0-9]
.
Sample:
“CA UIM12 IM is a CA product” 
Expression 
[0-9 A-C]
returns:
Match
 for 
0
 to
 9 
and 
A
to 
C
 (but not 
a
 to 
c
) in the target string.
Expression
 [0-9A-C]
 returns: 
A
 Match
 the entire string
 [0-9A-C] 
with the target string.
Not recommended to use this meta character without “/”, as it can result in unexpected match results.
3.
^ Circumflex or Caret
  • Matches any string beginning with the expression.
  • Negates the expression when used within square brackets.
Sample:
“CA UIM12 IM is a CA product”
Expression 
/^CA/
returns:
Match
 any string that begins with 
CA
 (in this case 
CA UIM
).
Expression 
*^CA
* returns:
Match for
 the
whole string.
Not recommended to use this meta character without “/”as such patterns are by default appended with another
^
at the beginning and
$
at the end; hence internally handled as
^^CA$
4.
$ Dollar
Matches the target string only at the end.
Sample 1:
“CA UIM12 IM is a CA product”
Sample 2:
“CA UIM12 IM is a product of CA”
Expression 
/uct$/
returns:
Sample 1: 
 matches the text 
uct 
(Product) since it appears at the end of the string
.
Sample 2: NO match
because 
uct
 (Product) does not appear at the end of the target string. 
Expression 
*uct$
* returns:
Sample 1:
matches the
whole string
.
Sample 2: 
returns
No Match
.
Not recommended to use this meta character without “/” as by default such patterns are appended with another
$
at the beginning and
$
at the end; and hence internally handled as
$$uct$
5.
. Period
Matches any character(s) following the expression, except the new line character. 
Sample:
“CA UIM12 IM is a CA product”
Expression 
/U.M/
returns:
UIM will match expression, can also match UOM, UKM, and so on.
Expression *
U.M*
returns 
No Match
, because with *, the probe takes the dot (.) as a literal character instead of an operator.
Not recommended to use this meta character without “/”, as it can result in unexpected match results.
6.
? Question
Matches the target string when the preceding character occurs zero times or once.
Sample 1:
CA UIM IM is a CA product”
Sample 2:
“CIA UIM IM is a CA product”
Sample 3:
CIIA UIM IM is a CA product
Expression 
/C?A/
returns:
Sample 1:
 matches the text 
CA 
because it finds no character between C & A
Sample 2: 
CA UIM matches the text CIA because it finds one character between C and A 
Sample 3: NO Match
because it finds two characters between C & A
.
.
Expression
 *C?A*
returns:
No Match
 for
Sample 1 and sample 3
 because the probe treats the ? operator as the dot (.) operator and expects one between
 C 
and 
A
.
Match
 for
Sample 2
because probe treats the ? operator as the dot (.) operator and it found 
i
between
 C 
and 
A
Not recommended to use this meta character without “/”, as it can result in unexpected match results.
7.
* Asterisk
Matches the target string when the preceding character occurs for zero times or more.
Sample 1:
“CA UIM IM is a CA product”
Sample 2:
“C UIM IM is a C product”
Sample 3:
“CAA UIM IM is a C product”
Expression 
/CA*/
returns: 
Sample 1: 
matches
 CA
because 
A
 is found 1 time.
Sample 2:
matches because 
A
 is found 
0
 times.
Sample 3:
matches because 
A
 is found 2 time.
Expression *
CA**
returns:
Not Match
 for
Sample 2
 as it matches at least 1 occurrence of 
A
(character preceding *).
Matches 
Sample 1
 and 
Sample 3
where occurrence of 
A
 is at least 
1
tre*
 
in the Match Expression
matches only those lines which contains only one word and starting with
tre….(for example,  tree
and
tread)
8.
+ Plus or Addition
Matches the target string when the preceding character occurs for once or more.
Sample 1:
“CAA UIM IM is a CA product”
 
Sample 2:
“CA UIM IM is a CA product
Sample 3:
“C UIM IM is a C product”
Expression 
/CA+/
returns:
Sample 1: Match
because 
CA+
 finds
 A
two times.
Sample 2: Match  CA
because 
ca+
 finds A
 
1 time.
Sample 3:
 
No Match
because 
CA+
 finds 
A
 0 times.
Expression *
CA+*
returns:
Match
 for 
Sample 1
 and 
Sample 2
NO Match 
for
Sample 3.
Not recommended to use this meta character without “/”, as it can result in unexpected match results.
9.
{n}
Matches the target string when the preceding character occurs
n
times exactly.
Sample:
“CA UIM IM is a CA product and its Support Contact Number is 1234567”
Expression 
/[0-9]{3}[0-9]{4}/
 returns:
Match
 because sample contains 
123
which is between 
0
 to 
9
(
[0-9]
) and are three digits 
({3}), 
similarly 
[0-9]{4}
 matches 4567 text of the string.
Expression
 
*
/[0-9]{3}[0-9]{4}*
returns:
Match
 for the whole string.
Not recommended to use this meta character without “/”, as it can result in unexpected match results.
10.
{n,m}
Matches the target string when the preceding character occurs at least
n
times but not more than
m
times.
Sample 1:
“CA UIM IM is a fannntastic product of CA”
Sample 2:
“CA UIM IM is a fannnntastic product of CA”
Expression 
/fan{1,3}t/
returns:
Sample 1: A match (fannnt) 
because Count of 
n
 in 
fannntastic
 is between 
1
 and 
3
.
Expression 
/fan{4,6}t/
returns:
Sample 2: 
No Match
as the count of 
n
 in fannnntastic is 
not
between 
1
 and 
3
.
Expression
*fan{1,3}t*
returns:
Sample 1: 
A
Match
 (whole string)
Sample 2
No Match
Expression
*fan{4,6}t*
returns:
 
Not recommended to use this meta character without “/”, as it can result in unexpected match results.
11.
{n, }
Matches the target string when the preceding character occurs at least
n
times.
Sample 1:
“CA UIM IM is a fannntastic product of CA”
Sample 2:
“CA UIM IM is a fannnntastic product of CA”
Expression 
/fan{2,}t/
returns:
Sample 1: 
A
 Match
because Count of 
n
 is greater than equal to 
2
Sample 2: 
No Match
because count of 
n
 is 
1
which is less than 
2
.
Expression
*fan{2,}t*
 returns:
Sample 1: 
A
Match
 (whole string)
Sample 2: 
No Match
 because count of 
n
 is 
1
which is less than
2
.
Not recommended to use this meta character without “/”, as it can result in unexpected match results.
12.
\\ Escape Sequence
Matches meta characters with literal.
Sample 1:
“CA UIM IM is a CA \\Technologies product”
Sample 2:
“CA UIM IM is a CA \Technologies product”
Expression
/\\\\Technologies/
returns:
Sample 1:
 
A match
because
\\Technologies
 matches in the target string
Expression
/\\\Technologies/
returns:
Sample 2:  A match
because
\Technologies
 matches in the target string 
\\CA UIM:
matches the entire string with
the target string.
Expression
*\\\\Technologies *
 matches
with
Sample 1.
Expression
*\\\Technologies* matches
 with
Sample
 
2.
Not recommended to use this meta character without “/”, as it can result in unexpected match results.
13.
\ Back Slash
Matches the subsequent character with literal.
Used to escape a special character. In some cases, you might need to use one of the characters reserved as operators (any character on this list) within your regular text. In these cases, the backslash is used to escape the operator and uses the next character literally
Sample:
“CA UIM IM is a CA Technologies product but is its support always happy to help?””
Expression 
/help?/
returns:
Sample: 
A
 Match
, but fails to include ? in its search, and matches help instead of help?
Expression 
/help\?/
returns
 help? 
for
Sample.
Expression
*help?*
returns:
Sample:
A
match
, but
fails
to include
?
in its search, and matches
help
instead of
help?
Expression
*help\?*
returns a
Match help?
.
For additional explanation, refer Note 1.
Not recommended to use this meta character without “/”, as it can result in unexpected match results.
14.
"
(
" or "
)
"
Matches meta characters with literal.
 
 
Sample:
“CA UIM IM is a CA  Technologies product and indeed its support is goodgoodgood”
Expression 
/(good){3}/
returns:
Match
 because 
good
is repeated 
3
 times in the target string
Expression 
*(good){3}*
returns:
 
No
 
Match as
(good){3} is not expanded to
goodgoodgood.
Not recommended to use this meta character without “/”,as it will always result in no match with the target string.
 
(logmon 3.60 and later) Using Pattern Files
The probe allows you to select a token from your expression in watcher and exclude rules. The probe then recursively replaces that token from a list of strings in a file. Consider an example where the probe replaces the token nations from a regular expression
/*(nations)*/
, using a file
countries.txt
.
The probe only supports text files where each string is listed as a new line.
Filename
Contents
countries.txt
USA
UK
India
Follow these steps:
Navigate to the required watcher or exclude rule.
  1. Specify the
    /*(nations)*/
    expression in the
    Match Expression
    or
    Exclude Expression
    field.
  2. Select
    Enable regex from external file
    to use the same regular expression with multiple strings.
  3. In the
    Path to pattern file
    field, specify the path of the file as
    C:\countries.txt
    . You can also browse for the file.
  4. In the
    Token to be replaced
    field, specify
    nations
    as the text to replace in the match expression with each string in the file.
  5. Enable the rule to start processing.
The rule processes the expression for each entry in the constructs file. The final expression that the probe processes is
/*(USA|UK|India)*/
.
Notes on Regexp Constructs
All the patterns that are not used with ‘/’ are internally enclosed within ^ and $. For example,
CA
is converted to
^CA$
and further regular expression processing is done considering rules for both
^
and
$
. However, using * (e.g.
*C.A*
) provides another way to the end users to use regular expressions. Some of the existing PCRE rules might change as explained for
*
and
?
meta characters above (examples 6 and 7); however, these patterns, unlike other pattern, return the whole event text (for ntvel) and line containing the match upto 1004 characters length (for logmon), as shown below:
  • Event text:
    CA UIM is a CA product
  • Watcher Rule:
    *C*A*
  • Result:
    Match containing complete string ”CA UIM is a CA product”
  • Event text:
    CA UIM is a CA product
  • Watcher Rule:
    /C*A/
  • Result:
    Match containing only the part of the string: “CA”
General
:
[^<]*
Anything (or nothing) not a '<'. Useful for getting the rest of a tag without knowing what it is!
\"([^\"]*?)\"
Capture anything (or nothing) inside quotes. The data inside the parentheses is available for use in variables on the logmon probe. Use these variables in alarm messages, validate values, and send QoS messages with the contents.
The quotes are also required here and the quote must be escaped with the backslash ‘\’ character.
<A[^>]*?>
Matches and anchor tag up until the end of the tag. This tag generalizes for other tags as required.
<\/A[^<]*?
Matches an end anchor tag and anything up until the start of the next tag.
 A slash ‘/’ must be escaped with a backslash because it is a reserved character in regular expression
If the monitoring target is URL:
Avoid using the * because the regex tries to match anything. The page is stripped of newlines when we get it, so everything is on one long line, and '.*' matches more than you probably expect it to. Be restrictive and try to limit yourself to what is either inside or outside the tag. Avoid using combinations unless you are aware about the log file text, which you are monitoring.
Carriage Return (\r) and Newline (\n) characters are stripped out and replaced by spaces in the file when we get it. Replacing these characters means that you have to be ready to deal with spaces in places, which you do not expect. Either add \s* (zero or more spaces) to your regex or handle anything up to the next start or end of a tag.
For adding space, you can use
\s
on Solaris but it does not work on the Linux and Windows systems.
If the monitoring target is File:
For case sensitive search use
(?-i)
and
(?i)
for case insensitive search. For example, you can search for case insensitive match that contains ‘icon’ and end with the ‘.png’ extension with
/(?i)^.*icon.*.png$/
expression.
Notes on Building Regexp
Break what you are looking for down into manageable component parts. The following example is a table entry in an html file.
  1. Start small - figure out where what you are looking for starts. In this example, start on a table row (<TR bgcolor=#efeee9>).
  2. Figure out a regex to find a table row in the file and add it to your configuration.
  3. Generate a dummy alarm for every match and count number of alarms you received. If it matches the number you are expecting, then move on to the next part of the regex.
  4. Add fields one at a time. As long as you take it one step at a time you can easily see which regex is causing you to get unexpected data.
  5. Open an editor for tracking the regex component parts. Add the notes and judge complexity of the regex. Also track the different parentheses groupings, so that you know which regex you can use in the variable list.
  6. When you match everything you are looking for, you can start adding variable definitions. Do not add thresholds yet - ensure that you are matching everything that you are looking for first. Print them in the alarms and validate that you are getting the expected values.
  7. Add threshold values so that matching entries that are within acceptable limits are not generating alarms.
The threshold is an expected value. So, if the value is 1, the operator is < and the threshold is 5 then an alarm is NOT generated (1<5 = true). In case, the value is 7 then an alarm is sent (7<5 = false). The numeric operators (<, <=, >, and >=) require a numeric value. Checking strings can be done with the
=
,
! =
, and
re
operators. The
re
operator requires a regex, which starts and ends with a slash (/regexp/).
Notes on QoS for Variables
The QoS are generated for the numeric values. You can compare the number of expected matches with actual matches for generating QoS for string values. You can signify that a QoS is the result of an expected value by configuring the
As Expected
field in the QoS definition.
In case, you are looking for a set of variables as a single entity then configure only one variable for generating the QoS.
In case, you are expecting more than one match on a page then use a
QoS Target
that is unique for each match.
String Matching Methods
The logmon probe supports two methods for matching the strings, as follows:
  • Pattern matching: This method is similar to the one found in many shells (UNIX). The probe implements the pattern matching method by default.
  • Regular Expressions: This method is powerful and complex too. A pair of slashes (/ /) encapsulates a regular expression.
    The capabilities are best highlighted by considering a couple of
    logmon
    configuration examples.
Example 1 Logmon Configuration
The user or windows automatically starts the Microsoft Scandisk and it detects a problem with the disk clusters. The Microsoft Scandisk produces the following extract and places it in the C:\SCANDISC.LOG file.
Scandisk could not properly read from or write to Cluster 66293, which contains some or all of C:\WINDOWS\SYSTEM\MSJET35.DLL.
Resolution: Repair the error
Results: Error was partially corrected.
 
Scandisk could not properly read from or write to Cluster 121482, which contains some or all of C:\Program Files\DevStudio\VC\lib\MSVCRTD.PDB.
Resolution: Repair the error
Results: Error was partially corrected.
You have to restart the Microsoft Scandisk when another program writes to this disk.
Write a configuration that reacts on the changes in the scandisk.log and generates an alarm. Search for a block of text that starts with the
properly read from or write to Cluster
and ends on a blank line.
This example demonstrates how we define a
profile
, a
formatting definition
, and a
watcher definition
by using the file extract from SCANDISK.LOG. This example reports when it detects data from the file matching the formatting criteria. If a match is detected, data is extracted using the active watchers. The purpose is to extract the actual Cluster number and the files that are involved with the problem, and report it using a user-defined message.
Define Profile
Follow these steps:
  1. Define a file for monitoring and how to monitor the file.
  2. Click
    the
    New Profile
    Example 1: logmon configuration
    button
    .
    The
    Add A New Profile Definition
    dialog is displayed.
    add new profile defination.png
  3. Create a profile that is named as
    ScanDisk
    and activate the profile by selecting the adjacent checkbox.
  4. Enter the required
    File
    parameter and set the
    Mode
    parameter to
    updates
    .
    LOGMON--Example 1_1 (new)
Define a Formatting Definition
Follow these steps:
  1. Select the
    Format Rules
    tab.
  2. Create a formatting definition by right-clicking the formats window and selecting the
    New
    option.
    The
    Add A New Format Definition
    dialog is displayed.
  3. Name the definition as
    ClusterBlock
    and click
    OK
    .
    Example 1: logmon configuration (4)
    The new definition gets added in the list.
  4. Activate the Format Rule by selecting the checkbox once the new definition is displayed in the list.
  5. Replace the
    Start expression
    field with the
    *read from or write to Cluster*
    text.
  6. Select the
    End expression
    option and the
    blankline
    option from the
    End expression
    c
    ombo-box.
    Example 1_2
Define the Watcher Definitions
Follow these steps:
  1. Select the
    Watcher Rules
    tab and create a watcher definition by right-clicking the watchers window.
  2. Name the watcher rule as
    ClusterError
    . Activate the watcher rule.
    LOGMON--Add a New Watcher Def
  3. Select the
    Watcher Rules > Advanced
    tab and select
    Restrict to format definition
    as
    ClusterBlock
    .
    For more information on
    Advanced tab
    , see
    Create Watcher Rules
    section in the 
    IM Configuration
    article of the applicable version.
  4. Create a variable definition by right-clicking the variables window in the
    Watcher Rules > Variables
    tab and name this variable as
    Cluster
    .
  5. Check the
    Source Line
    and set it to
    1
    (means extract the variable from line one).
  6. Select the
    Column
    option in the FROM frame and set it to
    11
    , which implies to extract column 11.
  7. Select the
    Ignore 'To'
    option.
    This variable watcher definition instructs the probe for extracting the value of column 11 on line 1 and store value in the
    Cluster
    variable.
    LOGMON--Variables
  8. Create another variable and store the text in line 2, column 7 to the end of the line and call this
    file
    .
  9. Activate both the variables.
  10. Select the
    Watcher Rules > Standard
    tab.
  11. Clear the
    Match expression
    field (you have restricted this watcher to the formatting block
    ClusterBlock
    , so a match is implicit).
  12. Specify the
    ScanDisk reports error on Cluster $Cluster containing $file
    text in the
    Message to send on match
    field.
  13. Save the definition by clicking the
    Apply
    button.
Example 2 HTML Page
# http://193.71.55.187:8008/NWHealth (HTML page):
Sample of what we are looking for in the page:
<TR bgcolor=#efeee9><TD><INPUT TYPE="CHECKBOX" NAME=S_0_0_ CHECKED></TD>
<TD><INPUT TYPE="CHECKBOX" NAME=N_0_0_></TD>
<TD><A HREF="javascript:newWindow('/NWHealth/HELP/WTDRESP', 'Generic','width=600,height=500,resizable=no,screenX=20,screenY=0,scrollbars')"><IMG ALIGN=absbottom BORDER=0 SRC=/SYS/LOGIN/info2.gif ALT="Item Specific Help"></TD>
<TD><A HREF="DebugInfo">Work To Do Response Time</A></TD>
<TD align=center><IMG ALIGN=absmiddle BORDER=0 ALT="GOOD" SRC="/SYS/LOGIN/good.gif"></TD>
<TD><FONT COLOR=Green>0</FONT></TD>
<TD><FONT COLOR=Green>0</FONT></TD>
<TD><FONT COLOR=Green>0</FONT></TD>
The full regex for matching data in the sample
:
/<TR[^<]*?<TD[^<]*?<INPUT[^<]*?<\/TD[^<]*?<TD[^<]*?<INPUT[^<]*?<\/TD[^<]*?<TD[^<]*?<A[^<]*?<IMG[^<]*?<\/TD[^<]*?<TD[^<]*?<A[^>]*?>([^<]*?)<\/A[^<]*?<\/TD[^<]*?<TD[^<]*?<IMG[^>]*?ALT=\"([^\"]*?)\"[^<]*?<\/TD[^<]*?<TD[^<]*?<FONT[^>]*?COLOR=(\w+)[^>]*?>([^<]*?)<\/FONT[^<]*?(?:<\/TD[^<]*?)*<TD[^<]*?<FONT[^>]*?COLOR=(\w+)[^>]*?>([^<]*?)<\/FONT[^<]*?(?:<\/TD[^<]*?)*<TD[^<]*?<FONT[^>]*?COLOR=(\w+)[^>]*?>([^<]*?)<\/FONT[^<]*?(?:<\/TD[^<]*?)*/
Regex is broken down into component parts:
Starting a table row definition:
<TR[^<]*?
Include:
<TD[^<]*?<INPUT[^<]*?<\/TD[^<]*?
Notify:
<TD[^<]*?<INPUT[^<]*?<\/TD[^<]*?
Info:
<TD[^<]*?<A[^<]*?<IMG[^<]*?<\/TD[^<]*?
Description $1:
<TD[^<]*?<A[^>]*?>([^<]*?)<\/A[^<]*?<\/TD[^<]*?
Status $2:
<TD[^<]*?<IMG[^>]*?ALT=\"([^\"]*?)\"[^<]*?<\/TD[^<]*?
Note about the next three regular expressions:
The page fails to close the [assign the value for TD in your book] tag with the </TD> tag because the page has a bug. We use the perl-ism
(?:close tag)*
for matching the close tag when the page status is an error and the closing tag is not there. But with the
(?:
, we do not capture the value, it is used for grouping and it does not count for the match numbers.
Current $3 $4:
<TD[^<]*?<FONT[^>]*?COLOR=(\w+)[^>]*?>([^<]*?)<\/FONT[^<]*?(?:<\/TD[^<]*?)*
Peak $5 $6:
<TD[^<]*?<FONT[^>]*?COLOR=(\w+)[^>]*?>([^<]*?)<\/FONT[^<]*?(?:<\/TD[^<]*?)*
Max $7 $8:
<TD[^<]*?<FONT[^>]*?COLOR=(\w+)[^>]*?>([^<]*?)<\/FONT[^<]*?(?:<\/TD[^<]*?)*
Example 3 XML File
# http://193.71.55.187:8008/_ ADMIN/Novell/NRM/NRMHealth.xml (the XML file):
Sample of an entry in the XML file:
<Health_Entry>
<Health_Description>Work To Do Response Time</Health_Description> 
<Health_Status>GOOD</Health_Status> 
<Current_Value>0</Current_Value> 
<Peak_Value>0</Peak_Value> 
<Max_Value>0</Max_Value> 
</Health_Entry>
The full regex for matching data in the sample:
/<Health_Entry[^<]*?<Health_Description>([^<]*?)<\/Health_Description[^<]*?<Health_Status>([^<]*?)<\/Health_Status[^<]*?<Current_Value>([^<]*?)<\/Current_Value[^<]*?<Peak_Value>([^<]*?)<\/Peak_Value[^<]*?<Max_Value>([^<]*?)<\/Max_Value[^<]*?/
Regex is broken down into component parts:
Start of a definition
<Health_Entry[^<]*?
Description $1:
<Health_Description>([^<]*?)<\/Health_Description[^<]*?
Status $2:
<Health_Status>([^<]*?)<\/Health_Status[^<]*?
Current Value $3:
<Current_Value>([^<]*?)<\/Current_Value[^<]*?
Peak Value $4:
<Peak_Value>([^<]*?)<\/Peak_Value[^<]*?
Max_Value $5:
<Max_Value>([^<]*?)<\/Max_Value[^<]*?
Final note on parsing the XML file:
The XML has a strict format and there is not a bunch of markup stuff in there. Moreover, the regex is a lot cleaner (or at least more readable). Therefore, we recommend you to use this entry point rather than the html page. If, however, the XML is not available on a system, the html page is good enough.
Format Interval Example
The Log Monitoring probe uses the
Format Interval
field for saving the incomplete pattern details for certain number of intervals. For example, you configured the
Format Interval
field value as 3. The start and end expressions of a format rule are *start* and *stop*, respectively. The log file text is as follows, which is updated in three consecutive intervals:
Service starting here.
Service A has status OK.
Service B has status OK.
Service C has status ERROR.
Service D has status OK.
Service E has status ERROR.
Service stopping here
First Interval:
Service starting here
Service A has status OK.
Second Interval:
Service B has status OK.
Service C has status ERROR.
Service D has status OK.
Third Interval:
Service E has status ERROR.
Service stopping here.
In the given example, probe identifies the start expression of the format rule in the first interval and the end expression in the third interval. Then the probe marks it as a complete format rule and generates alarm based on your watcher rules. If the
Format Interval
value is set to less than 3, then the format rule remains incomplete and the probe does not generate any alarm.