Log parser regex limitations?

I am looking to monitor a log file for particular strings using the out-of-the-box Log Parser (PowerShell) monitor - specifically the "number of newly found strings" component.

When I include an = sign in the string, it seems to break the string/regex parser?

E.g. I want to search for the string SEVERITY=WARNING and the monitor returns 0 results. If I remove the = and search for just SEVERITY or WARNING then the monitor works. However, I can't do this as the log contains the word WARNING in other lines we don't want to include. Additionally we will run multiple copies of this component for different severity levels:

SEVERITY=CRITICAL

SEVERITY=MAJOR

SEVERITY=MINOR

SEVERITY=WARNING

Separately I'm also trying to monitor particular strings using the out-of-the-box Log Parser (Perl) monitor - again the "number of newly found strings" component.

The description contains the following information:

This monitor uses the following arguments:
   perl ${SCRIPT} LogFilePath RegularExpression
where
   LogFilePath - This is the path of the target log file on the target server. The path can contain spaces.
   RegularExpression - This is used for regular expression searches to find a desired string in the log file. Searches are case sensitive and can contain spaces.
Below is an example using the Command Line field:
perl ${SCRIPT} "/etc/inittab" "init"

In one case I am monitoring a log file for "SEVERITY=MAJOR" but want to exclude a specific error code. The log will contain lines such as the following but we want to exclude SI112.

2019-11-27 11:14:26 [text] ERROR bunchoftext - MONITORED_ERROR (CODE=SI112, NAME=TEMPORARY_MESSAGE_ERROR, SEVERITY=MAJOR) - bunchoferrortext

2019-11-27 11:15:41 [text] ERROR bunchoftext - MONITORED_ERROR (CODE=SI002, NAME=TEMPORARY_MESSAGE_ERROR, SEVERITY=MAJOR) - bunchoferrortext

2019-11-27 11:18:52 [text] ERROR bunchoftext - MONITORED_ERROR (CODE=SI352, NAME=TEMPORARY_MESSAGE_ERROR, SEVERITY=MAJOR) - bunchoferrortext

Using www.regexr.com I came up with this regex that excludes the error code.

^(?!.*SI112).*SEVERITY=MAJOR.*$

However, when we run this against the log file it picks up all the error codes including the one we are trying to exclude.

perl ${SCRIPT} "/app/filelocation/logfile.log" "^(?!SI112).*SEVERITY=MAJOR"

I came across this other thread about the log parser (PowerShell) not accepting complex Regex expressions but it has no response.

Log Parser (Powershell) accept regex expressions

Anyone else run into issues with the log parser and Regex (or other parsing problems)? I'm guessing another solution is to rewrite a script that includes these filters within the script...

Find more posts tagged with

regex

log parser

Accepted answers

All comments

serena

shuth wrote:
I am looking to monitor a log file for particular strings using the out-of-the-box Log Parser (PowerShell) monitor - specifically the "number of newly found strings" component.
When I include an = sign in the string, it seems to break the string/regex parser?
E.g. I want to search for the string SEVERITY=WARNING and the monitor returns 0 results. If I remove the = and search for just SEVERITY or WARNING then the monitor works. However, I can't do this as the log contains the word WARNING in other lines we don't want to include. Additionally we will run multiple copies of this component for different severity levels:
SEVERITY=CRITICAL
SEVERITY=MAJOR
SEVERITY=MINOR
SEVERITY=WARNING
Separately I'm also trying to monitor particular strings using the out-of-the-box Log Parser (Perl) monitor - again the "number of newly found strings" component.
The description contains the following information:
This monitor uses the following arguments:
   perl ${SCRIPT} LogFilePath RegularExpression
where
   LogFilePath - This is the path of the target log file on the target server. The path can contain spaces.
   RegularExpression - This is used for regular expression searches to find a desired string in the log file. Searches are case sensitive and can contain spaces.
Below is an example using the Command Line field:
perl ${SCRIPT} "/etc/inittab" "init"
In one case I am monitoring a log file for "SEVERITY=MAJOR" but want to exclude a specific error code. The log will contain lines such as the following but we want to exclude SI112.
2019-11-27 11:14:26 [text] ERROR bunchoftext - MONITORED_ERROR (CODE=SI112, NAME=TEMPORARY_MESSAGE_ERROR, SEVERITY=MAJOR) - bunchoferrortext
2019-11-27 11:15:41 [text] ERROR bunchoftext - MONITORED_ERROR (CODE=SI002, NAME=TEMPORARY_MESSAGE_ERROR, SEVERITY=MAJOR) - bunchoferrortext
2019-11-27 11:18:52 [text] ERROR bunchoftext - MONITORED_ERROR (CODE=SI352, NAME=TEMPORARY_MESSAGE_ERROR, SEVERITY=MAJOR) - bunchoferrortext
Using www.regexr.com I came up with this regex that excludes the error code.
^(?!.*SI112).*SEVERITY=MAJOR.*$
However, when we run this against the log file it picks up all the error codes including the one we are trying to exclude.
perl ${SCRIPT} "/app/filelocation/logfile.log" "^(?!SI112).*SEVERITY=MAJOR"
I came across this other thread about the log parser (PowerShell) not accepting complex Regex expressions but it has no response.
Log Parser (Powershell) accept regex expressions
Anyone else run into issues with the log parser and Regex (or other parsing problems)? I'm guessing another solution is to rewrite a script that includes these filters within the script...

Hey Steve, did you figure this one out?

shuth

serena Unfortunately not. It got put on the back burner but I will probably need to revisit it in Jan or Feb.