Re: {bb} Need help with regular expression

To: bb@bb4.com
Subject: Re: {bb} Need help with regular expression
From: Philip Clark <pcclark@tiscali.co.uk>
Date: 12 Jul 2004 22:27:18 +0100
Content-transfer-encoding: 7bit
Content-type: text/plain
In-reply-to: <20040709150010.GC11355@qwestip.net>
References: <20040708204410.GB7803@qwestip.net> <1089341059.3780.268.camel@carter> <20040709150010.GC11355@qwestip.net>
Reply-to: bb@bb4.com
Sender: owner-bb@bb4.com

On Fri, 2004-07-09 at 16:00, Asif Iqbal wrote:
> Philip Clark wrote:
> > 
> > That log message will match both the yellow and red clauses that you
> > have specified. That being the case, I'd expect that the red match
> > takes precedence over yellow where paging is concerned. 
> > 
> > While it might be possible to craft a red clause to ignore "NOTICE"
> 
> Any idea how?

The exact syntax will depend on the version of grep that your system
is using. For GNU grep, I've found that four back-slashes are needed
(so that one is preserved as it passes through the script) in order
to use extended meta-characters. The following should be just one
line. It's not pretty but here goes:

myserver.myplace.net: /var/log/messages : : WARNING ; NOTICE. [^ ]\\
\\+ oracle : NOTICE. [^ ]\\\\+ \\\\([^o]\\\\|o[^r]\\\\|or[^a]\\\\|or
a[^c]\\\\|orac[^l]\\\\|oracl[^e]\\\\) :

You should note that creating a "negative" regular expression is
rarely a complete solution, since you need to match every possible
thing that differs from the target. The red clause above will match
the word NOTICE followed by any single character; a single space;
a word (one or more non-space characters); another space and another
word (which is not "oracle"). Other possible lines (e.g. the word
"NOTICE" on a line by itself) will also fail to cause an alert.
If you expect to see such lines in your log file, you would need
to extend the expression to match those too. 

> > messages from Oracle specifically, I suspect that it might be easier
> > to use an external script to monitor that file.
> 
> I rather monitor the messages file using msgtab if manage to exclude the
> *core dumped string

Another option that I've considered would be to hack bb-msgs.sh to
provide separate "IGNORE" clauses for red and yellow matches. It should
be reasonably simple to achieve (and document for application to new
versions in the future) and I'd probably use this method if I needed
this type of functionality. Then you could use a line like:

myserver.myplace.net: /var/log/messages : : WARNING ; NOTICE. [^ ]\\
\\+ oracle : NOTICE : : NOTICE. [^ ]\\\\+ oracle

Here, the "ignore for yellow" clause is blank and the "ignore for red"
clause matches the "NOTICE" part that is now being handled as a yellow
alert.

Cheers, Phil.

-- 
Entropy isn't what it used to be.

--
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-==-=-=-=-=-=-=-=-=-=-=-=
To unsubscribe from this list, or to subscribe to the bb-digest list
send e-mail to mailto:majordomo@bb4.com with unsubscribe bb -and/or-
subscribe bb-digest in the BODY of the message.

References:
- {bb} Need help with regular expression
  - From: Asif Iqbal <iqbala-bb@qwestip.net>
- Re: {bb} Need help with regular expression
  - From: Philip Clark <pcclark@tiscali.co.uk>
- Re: {bb} Need help with regular expression
  - From: Asif Iqbal <iqbala-bb@qwestip.net>

Prev by Date: RE: {bb} unACK?
Next by Date: RE: {bb} unACK?
Previous by thread: Re: {bb} Need help with regular expression
Next by thread: {bb} unexplained purples
Index(es):
- Date
- Thread

Home | Main Index | Thread Index