String search

The String Search Monitor allows you to run fast and powerful searches for strings on the Monitors that you previously configured (flat, or log files, output of a Web request, or a database query, OID content, etc).

Please note that the String Search Monitor works a bit differently on "running sources" (Log files and never-ending command lines) than on flat sources (flat files, command lines, Web requests, etc.):

▪	the strings are searched only in new lines since the last polling. For a string search in a running source, two graphs are built: Number of matches since the last acknowledgment and Number of matches per minute since the last polling.

▪	you can specify auto-acknowledging strings that will automatically reset the graph to the "number of matches".

▪	the strings are searched in the entire source every time (the whole file, the whole standard output, the whole HTTP response, the whole dataset). For a String Search in a flat source, one graph is built: Number of matches at the current polling.

▪	you cannot specify auto-acknowledging strings since the parameter is recalculated from "0" at each polling.

▪	you can specify where information should be searched in the file (n lines, pre-filter, etc.).

To search for a specific string

1.	If the file to be parsed is a multi-line, XML, JSON, or HTML content, pre-process its content.

2.	In the PATROL Console, right-click the Monitor icon (file, Web request, etc.) and select KM Commands > New > String Search...

▪	Contain/do not contain: You can enter up to two strings (regular expressions) to look for, and decide whether or not those strings should be contained in the line. It is also possible to specify if the two strings should be found together (AND), or if only one of the two strings is sufficient (OR).

▪	Select where to search: For each entered string, you can specify where in the line to search for the string:

▪

At the following character offset: if you choose to search for the string from a character offset in the line, you must specify the offset in this field. Character offset is nothing but the character number. For example, to search for a string that starts from the seventh character in the line, you enter the digit 7 as the character offset.

▪	Skip blank lines: Select this option to have Monitoring Studio ignore blank lines. This option is particularly useful when searching for lines that do not contain a specific string, as blank lines would match this search criteria.

▪	since last acknowledge (incremental): Select this option to count the lines matching the String Search since the last time the MatchingLineCount parameter was reset or the PATROL Agent started.

▪	in the current collect only: Select this option to count the lines matching the String Search during the current collect.

a) For String Searches on a flat source (flat file, command line, Web request, etc.), the following dialog box is displayed:

▪	Search for Strings in all lines: The string(s) will be searched for in all the lines of the specified source.

▪	Search for Strings only in the following line numbers: Enter the list of line numbers you wish to scan separated by ‘;’. Lines are specified as follows:

Example

Here are some examples of formats that can be used when specifying line numbers: "4;6;8", or "3-", or "-5", or "1;3-5;7-9"

b) For String Searches on a running source (log file and never-ending command lines) the following dialog box is displayed:

▪	Acknowledge alert(s) if the string below is found: Check the box to acknowledge the alert.

▪	Acknowledge alert(s) after: Check this box and then specify the time in seconds after which the alerts will be acknowledged. Default is 120 minutes.

▪	When Acknowledging: Specify the action you wish Monitoring Studio to perform when acknowledging an alert:

▪	Select the Reset the MatchingLineCount parameter to zero option to have Monitoring Studio automatically reset the counter of the MatchingLineCount parameter to zero.

▪

Select the Decrease the MatchingLineCount parameter by one option to have Monitoring Studio automatically decrease by one the value of the counter of the MatchingLineCount parameter. Use this option if you need the solution to acknowledge each event counter and get a close follow-up on the log activity.

4.	If the option In the following column number was previously selected, you will have to specify the column separator to be considered to identify the relevant column:

▪	Select or de-select applicable separators. For custom separators, type the character(s) one after the other in the Others field.

▪	Consecutive separators must be treated as a single one (useful for data separated by blank spaces): Typically, it indicates that consecutive separators must be treated as a single separator.

▪	Consecutive separators mean empty columns (useful for data separated by comma, such as a in .csv file): Each separator is treated as an individual column separator and the column is considered empty.

▪	Do not interpret quotes: All applicable separators will be considered as a column separator even when enclosed in quotes.

▪	Consider text in "double quotes" as a single column: Text enclosed in double quotes will be considered as a single column. Any separator found within double quotes will not be considered as a column separator.

▪	Consider text in 'single quotes' as a single column: Text enclosed in single quotes will be considered as a single column. Any separator found within single quotes will not be considered as a column separator.

6.	Click Finish. The corresponding String Search instance (String Search: <Display Name>) is created in the PATROL Console. The collected parameters for String Search Monitors are listed in the SEN_MS_STRING chapter.

Searching for a Specific String

To search for a specific string

a) For String Searches on a flat source (flat file, command line, Web request, etc.), the following dialog box is displayed:

b) For String Searches on a running source (log file and never-ending command lines) the following dialog box is displayed: