|
Objective
The aim of this tool is to enable you to run fast and powerful searches for strings. This is one of Monitoring Studio’s key features.
A "must be found" string search looks through the specified file and triggers an alert if the specified string is not found. A "must not be found" string search triggers an alert when the specified string is found.
 | It is possible to run string searches on multi-line records, XML or HTML content. This is feasible owing to the Text Pre-processing tool. You use the Text Pre-processing tool to transform "complex" content, after which you can run string searches on it or extract numeric values from it. See Text Pre-processing for details. |
LOG file analysis
The most commonly used method to monitor an application is still LOG files analysis. Applications log problems in a file as they occur. Monitoring this information helps in understanding the behavior and performance of the application. Most log monitoring tools do not offer acknowledgement/recovery actions. This is where the string search feature makes a difference: it not only allows you to search the LOG file for specified strings, but it is also enable automatic or manual acknowledgement of these errors.
Method (summary)
First specify an information source (a flat or LOG file, a Web request, a database query, a SNMP agent, a script to be executed) and then search for strings that must be found or not be found in the information source. Once you have defined the information source, you can specify a string search in a very detailed way, with the following options:
| • | A combination of two regular expressions with and/or/not |
| • | Where to search in the line (which column, character offset etc.) |
 The string search engine parses the information source line-by-line. Therefore, the criteria you specify should apply to one line; except if you have already pre-processed this text and have converted multi-line records to single lines. See topic Text pre-processing for more details.
 The string searching function works a bit differently on "running sources" (LOG files and never-ending OS commands) than on flat sources (flat files, OS commands, Web requests, etc.):
| • | On "running sources" (LOG files and never ending OS commands), the strings are searched only in new lines since the last polling. For a string search in a running source, two graphs are built: Number of matches since the last acknowledgement and Number of matches per minute since the last polling. |
| • | In addition, for LOG files and "never-ending" OS commands, you can specify auto-acknowledging strings that will automatically reset the graph to the "number of matches". |
| • | On "flat sources" (flat files, OS commands, Web requests, database queries), the strings are searched in the entire source every time (the whole file, the whole standard output, the whole HTTP response, the whole dataset). For a string search in a flat source, one graph is built: Number of matches at the current polling. |
You cannot use auto-acknowledging strings in flat sources (it is not applicable because the parameter restarts from ‘0’ at each polling), but you can specify: Location/area of the source in which to search: n lines, pre-filter, etc.
Create or edit a string search
To create a new string search, right-click the information source icon (file, Web request, etc.) in the PATROL Console and select KM Commands > New > String Search...
To edit an existing string search, right-click the String Search icon in the PATROL Console and select KM Commands > Edit.
Step 1: Specifying what to search for
String Search Wizard — Search definition Page
Search for lines that:
| • | Contain/do not contain: You can enter up to two strings (regular expressions) to look for, and decide whether or not those strings should be contained in the line.
It is also possible to specify if the two strings should be found together (AND), or if only one of the two strings is sufficient (OR). |
| • | The string search is case sensitive: Check the box or leave it unchecked as per your need |
Select where to search: For each entered string, you can specify where in the line to search for the string
| • | Anywhere in the line (default) |
| • | At the following character offset: if you choose to search for the string from a character offset in the line, you must specify the offset in this field.
Character offset is nothing but the character number. For example, to search for a string that starts from the seventh character in the line, you enter the digit 7 as the character offset. |
| • | In the following column number: Enter the column number |
Specify column separators if applicable: If you choose to search for the string from a specific column in the line, you must specify how to identify that column by entering the column number and specifying the separator.
Click the column separator tab in order to select the appropriate field separator. The following panel shows the available default separators: blank space, semicolon, tabulation, comma, and pipe.
String Search Wizard — Column separator definition
Select or de-select applicable separators. For custom separators, enter the character in the field for Other.
| • | Consecutive separators must be treated as a single one: Typically, it indicates that consecutive separators must be treated as a single separator. |
| • | Consecutive separators mean empty columns: Each separator is treated as an individual column separator and the column is considered empty. |
The above two options are especially useful for data separated by blanks.
Step 2: Line selection (flat source only)
String Search Wizard — Line selection (for flat source only)
This window is only displayed when a string search in a flat source (flat file, command line, Web request, etc.) is added.
Select which lines of the source should be scanned
| • | Search for the String(s) in all lines: The string(s) will be searched for in all the lines of the specified source. |
| • | Search for the String(s) only in the following line numbers: Enter the list of line numbers you wish to scan separated by ‘;’. |
Lines are specified as follows:
x, y: line x and line y
x-y: all lines from x to y inclusive
x: all lines from 1 to x inclusive
x-: all lines from x to the end of the file inclusive
Step 2: Automatic acknowledgement of alerts (LOG files and "never-ending" command lines only)
String Search Wizard — Automatic acknowledgement
This dialog-box is displayed only for a string search on a "running source" (LOG file and never-ending OS commands).
In such a case, each time the specified strings are found, the MatchingLineCount parameter increases and triggers an alert. The automatic acknowledgement feature allows you to reset MatchingLineCount value to zero and status to 'normal'.
Acknowledge alert(s) if the string below is found: Check the box to acknowledge the alert.
| • | Indicate whether or not it is case-sensitive |
| • | Select where to search: specify the location of the string, enter the column separators if any |
Acknowledge alert(s) if a timeout of "x" minutes is reached: Check the box to enable alert acknowledgement. A timeout expires since the last matching line found; enter the value (default is set to 120 minutes).
You can select both the above options.
When the above condition is reached: When this occurs, you can either specify if all alerts previously triggered by this string search should be acknowledged at one time (the MatchingLineCount parameter goes back to zero), or if only one alert should be acknowledged (the MatchingLineCount parameter is decreased by one)
| • | Reset the MatchingLineCount parameter to zero (clear all previous alerts) |
| • | Decrease the MatchingLineCount by one (clear the previous alert) |
Step 3: Monitoring Studio settings
String Search Wizard — Settings Page
| • | Object display name: Label that will be displayed in the PATROL Console for this string search object. |
| • | Object internal identifier (ID): PATROL internal identifier of this monitored object. |
What thresholds do you want to set for the newly created instance? A drop-down list allows you to select the mode of setting alert thresholds:
| • | Use default thresholds: Uses the default thresholds set by Monitoring Studio |
| • | Set custom thresholds: Allows you to customize the thresholds for all parameters of the instance |
| • | Use default thresholds and customize them: Sets the default Monitoring Studio thresholds on certain parameters (see list of parameters with default thresholds) and then allows you to customize any/all of them. This is mainly intended to help save time if you wish to customize the thresholds of just one of many parameters for the instance, and leave the default settings for the others. |
| If you select Use default thresholds and customize them; on clicking Finish, the Set Thresholds panel will appear, and certain parameters for the instance may appear with an asterisk symbol - indicating that they already have thresholds. You can then customize (any/all) the thresholds of the parameters as per your specific needs. |
| • | Do not set any thresholds for now: No thresholds will be set on any parameter of the instance, and as a result no alerts will be triggered. Monitoring Studio will poll the object and return the output of the polling, but will not raise any alerts until you set thresholds. |
| Thresholds can be set or modified at anytime by right-clicking on the instance > KM commands > Set Thresholds. |
String search objects are instances of the SW_STRINGS class.
See Also
Command Line analysis
Database Query analysis
File monitoring and analysis
Regular expressions
SW_HTTP_REQUESTS
SW_STRINGS
Text Pre-processing
| 
