Hello everyone, I currently have the Powershell Log parser up and running and collecting metrics on multiple log files spanning across multiple nodes in our environment. It's been working excellent thus far but I've noticed a couple small hiccups in the generated alerts. Normally when the alert fires, it will display the specific lines from the log file that caused the alert to trigger. This is done by using the string below in the alert email action which pulls the values from dbo.APM_AlertsAndReportsData. Also, side note, huge shout out to njoylif for helping me get this configured!! Thanks again man! ${SQL:SELECT CONCAT('',' ', REPLACE(REPLACE(MultiValueMessages , '; 20' ,'; 20'), 'Lines that have search string:' ,'Lines that have search string: '),' ','') FROM SolarWindsOrion.dbo.APM_AlertsAndReportsData where ComponentID = ${ComponentID}} The issue I'm having is rare, maybe 1 out of 200 alerts. Occasionally, a log alert will fire and instead of getting the strings that caused the alert, we get "No newly found strings" as the output. I'm not sure if this is related to the temp file that the powershell script uses not getting refreshed properly? Or if the location where we are pulling the "MultiValueMessages" in the database isn't populated fast enough so it's just picking up "No newly found strings"? Anyhow, I'm hoping someone else had ran into this and could shed some light on it for us. Thank you for your time!

Community
- Command Central
- MVP Program
- Monthly Mission
- Blogs
- Groups
- Events
- Media Vault
Products
- Observability
- Network Management
- Application Management
- IT Security
- IT Service Management
- System Management
- Database Management
Content Exchange
- SolarWinds Platform
- Server & Application Monitor
- Database Performance Analyzer
- Server Configuration Monitor
- Network Performance Monitor
- Network Configuration Manager
- SQL Sentry
- Web Help Desk
Free Tools & Trials

Log Parser (Powershell)

Hello everyone,

I currently have the Powershell Log parser up and running and collecting metrics on multiple log files spanning across multiple nodes in our environment. It's been working excellent thus far but I've noticed a couple small hiccups in the generated alerts.

Normally when the alert fires, it will display the specific lines from the log file that caused the alert to trigger. This is done by using the string below in the alert email action which pulls the values from dbo.APM_AlertsAndReportsData. Also, side note, huge shout out to njoylif for helping me get this configured!! Thanks again man!

${SQL:SELECT CONCAT('','<table><tr><td>', REPLACE(REPLACE(MultiValueMessages , '; 20' ,';<br />20'), 'Lines that have search string:' ,'Lines that have search string:<br />'),'</td></tr></table>','') FROM SolarWindsOrion.dbo.APM_AlertsAndReportsData where ComponentID = ${ComponentID}}

The issue I'm having is rare, maybe 1 out of 200 alerts. Occasionally, a log alert will fire and instead of getting the strings that caused the alert, we get "No newly found strings" as the output. I'm not sure if this is related to the temp file that the powershell script uses not getting refreshed properly? Or if the location where we are pulling the "MultiValueMessages" in the database isn't populated fast enough so it's just picking up "No newly found strings"?

Anyhow, I'm hoping someone else had ran into this and could shed some light on it for us. Thank you for your time!

Find more posts tagged with

Accepted answers

jrouviere

Could be related as it states that your Polling Engine is Down, so here's a KB that you may want to check, starting with Services:

Additional Polling Engine is down or is not polling - SolarWinds Worldwide, LLC. Help and Support

Additionally I just noticed that your screenshot shows it's the Primary poller, not an additional one. Start by checking services, otherwise you may want to see if your environment relates to this article or reach out to Support for assistance:

Core Business Layer failed to start and polling engine is down - SolarWinds Worldwide, LLC. Help and Support

All comments

jdwinns

I just noticed while troubleshooting that our database is out of sync. Not positive if the two issues are related or not. The "No newly found strings" alert issue has been happening on occasion for a few months, the database sync seems to be a newer problem.

Has anyone else had this happen or know the reason why the database would be out of sync? Any possible resolutions? Server restart perhaps?

jrouviere

Could be related as it states that your Polling Engine is Down, so here's a KB that you may want to check, starting with Services:

Additional Polling Engine is down or is not polling - SolarWinds Worldwide, LLC. Help and Support

Core Business Layer failed to start and polling engine is down - SolarWinds Worldwide, LLC. Help and Support

cahunt

Agreed! If you are not connected to your DB then you are unable to either write the new polled data from the component or read the newly stored data, if not both.

It would explain why you are getting the no new log entries, and with that type of script that output can be normal to let you know the component is still working and checking for you (possibly setup as a reset trigger, if there is no component status/threshold set then I would figure it to be the reset).

-CharlesH

Loop1 Systems: SolarWinds Training and Professional Services

LinkedIN: Loop1 Systems
Facebook: Loop1 Systems
Twitter: @Loop1Systems

jdwinns

Okay thank you!

So, the VM server that our main polling engine runs on is up, no obvious issues there. Also, the Orion services are all "Running" except for Solarwinds NetPerMon, it says that it is "Started". Similarly, the database server is up and active, we are running a MSQL 2016 db.

My questions is, how the heck are we still getting alerts and such if the Polling engine is actually down?

jdwinns

Thanks!

It ended up being the Orion services, even though they were all "running" when the database was out of sync they apparently needed to be restarted. Glad it was an easy fix, hoping to find out what caused it.

jdwinns

Just an update on this - We continue to occasionally receive "No newly found strings" in alert emails from our "Log Parser - Newly Found Strings" applications. It happened today and I quickly verified that the alert was valid by locating the string in today's log.

What I still believe might be happening is when the monitor detects and error string, it trips the alert and fires off an email before the DB field “MultiValueMessages” gets populated, so it’s grabbing the default “No newly found strings” instead.

I was going to try and add a short delay before the E-mail trigger action to see if that resolves the problem. Has anyone else seen this happen? Is there a way to find out how much of a delay there is between when the component monitor parses the log and detects an ERROR string to how fast the database field “MultiValueMessages” gets populated?