cancel
Showing results for 
Search instead for 
Did you mean: 
Create Post

Log Parser (powershell) w/Message Returned

This template is an altered version of the SW provided PowerShell Log Parser.  I altered it because my IT teams requested that instead of just telling them a particular string was found in the monitor...they wanted the full string returned to them in the email.  This template accomplishes that.

 

The Log Parser template allows you to check a specified log file and determine the total number of lines that match your search criteria.  This script will return the actual message text found in the logfile in the ${ComponentMessage} variable which can be returned in the alert.

Prerequisites: WinRM must be installed and properly configured on the target server.

Credentials: Administrator on target server.

 

Labels (1)
Attachments
Comments

Hello Mike,

I have been working with Solarwinds Tech Support on an issue for about a month now and they pointed me to your template. I'm in no way a script writer and I was wondering if you could direct me a little bit. My department wants me to create a SAM alert that will retrieve the variable from a log file generated by a program called macro scheduler. The idea was to have the macro launch excel, then open a 7meg spreadsheet and record how long it takes for the file to open. My collegue created the script which would execute this macro and this is the output for %logfile%.log:

13:53:47:167 - Start Macro

13:53:53:090 - Elapsed: 5.890625

13:54:23:249 - Start Macro

13:54:28:548 - Elapsed: 5.25

I wanted to have SAM retrieve the start time, and elapsed time in order to have a scheduled poll to be trended. This log would be generated on a pc in a remote site.

Tech support originally told me that the only way SAM could monitor this is if the log was converted to an event log. So my collegue went ahead and created an event log that generated this: PBG Confirmit.JPG

So after working with support to retrieve this log, I thought I was in the clear, only to find that the only thing SAM can do is pole this event and tell me whether it is up or down depending if it finds this event in the poll window. I told them, that the only thing I was interested in was the macro variable listed. They then said the only way to extract that data was if we wrote a script to write to a database.

After an exhaustive rant about them wasting my time, I asked if there was any other way to get the info I was looking for and they pointed me to this template.

So from the explanation I described here, can you tell me how and what to plug into your script to get SAM to retrieve the info.

Thank you,

Steve Donato

I have a different script for doing this in an event log that I don't have a template published for, however I know someone else recently published a similar template.  http://thwack.solarwinds.com/docs/DOC-166220     I have personally not tried this one yet but I don't see why it wouldn't work for you.

mdriskell - I've updated this significantly to fit some things that we were doing in our environment - namely it can take a file name pattern and date pattern so that it can search logfiles of type my_log_file_2015_05_07.log.  If you're interested, please message me and I'll be happy to share it so that you can update this post.

Thanks we did modify ours to do that as well when we ran into that use case.  Feel free however to upload your own template for others to use.

Mike Driskell/ dmeiser‌,

could either of you post your template with the log file name option?  I need to do the same thing

Thanks

Sorry for not getting back to you sooner, I've uploaded my modifications to the Content Exchange.  Once they've been approved, you should be able to download them.

you da man!  thank you

Hi Mike

I've been asked by the DBA team to monitor some logfiles for any Oracle errors that may occur. One request they had was to incorporate the error message in the email that was sent to them. I saw your template and the description of it was spot on to what I needed. However I'm not able to incorporate the error in the email. I can see the whole error line in the "Application Component Details" page in Solarwinds, but when I receive the email the error is not included. I have added ${ComponentMessage} to email body but all it returns in the email is ${ComponentMessage}. What am I doing wrong?

Try the MultipleStatisticData variable.  In the newer alerting engine this is the variable I'm using now and it returns the message.   ${N=SwisEntity;M=MultipleStatisticData.StringData}

Thanks for your reply Mike, however I'm not able to retrieve the data with that variable either. Which version of the alerting engine are you using?

I'm on the current version of all products.

All modules are updated to the latest versions but I'm still not able to retrieve the message. However I can see the message in the database under dbo.ComponentAlertVariable. It's visible in the MultiValueMessages column.

I'm not that familiar to how the variables works in Solarwinds. All I have entered in the Body of the email is ${N=SwisEntity;M=MultipleStatisticData.StringData}

Hi, dmeiser

Did they approve your template?

I don't think I ever uploaded it...  I'll upload it and link it.  Just to let you know, though, it gives a false "Up" or "All Clear" message when a log file flips over.  It doesn't get a "down" message, just an All Clear/Up.

Hello Mike,

I was wondering if you knew if there was a way to return a message larger than what is found within the search string.

For example:

I am sending SNMP traps to a txt file. Each trap looks like:

++++++++++++++++++++++++++++++++++++

4/30/2016 1:05 AM sp072a:10.2.2.39 BMC-CONTROLEM-MIB:alertTrap.10 SNMP Trap
Received Time:4/30/2016 1:05:16 AM
Source:10.2.2.39(sp072a)
Community:Public
Variable Bindings
alertTrapUpdateType:= I
alertTrapAlertId:= 612668
alertTrapControlM:= sp072a
alertTrapMemName:= SAPCLEV_SD_STRPOEXT
alertTrapOrderId:= 31wok
alertTrapSeverity:= V
alertTrapStatus:= Not_Noticed
alertTrapTime:= 20160430010515
alertTrapUser:=
alertTrapUpdateTime:=
alertTrapMessage:= MAXRUN
alertTrapOwner:= OPERATOR
alertTrapGroup:= ATP
alertTrapApplication:= DAILYATP
alertTrapJobName:= SAPCLEV_SD_STRPOEXT
alertTrapNodeId:= prdapp27
alertTrapType:= R
alertTrapClosedFromEM:=
alertTrapTicketNumber:=
alertTrapRunCounter:= 00000000001
alertTrapNotes:=
snmpTrapOID:= BMC-CONTROLEM-MIB:alertTrap.10 (1.3.6.1.4.1.1031.9.1.0.10)
sysUpTime:= 0.00 second (0)
experimental.1057.1.0:= 10.2.2.39
snmpTrapEnterprise:= BMC-CONTROLEM-MIB:controlmAlert (1.3.6.1.4.1.1031.9.1)

+++++++++++++++++++++++++++++++++++++

I am alerting on every new instance of "alertTrapJobName"

I am seeing in the email that it shows:

Number of newly found strings 1. Lines that included the error are alertTrapJobName:= SAPCLEV_SD_STRPOEXT

What I am looking for is to return some other lines as well. I would like at least that line, and the other four lines above if possible:

alertTrapMessage:= MAXRUN

Thank you kindly,

Garret

It might be possible but I'm not sure a way to do that off the top of my head.  Can I ask why that method and not just a built in Trap rule?   A trap rule can email the entire body of the trap.

I think that might solve some issues...

The reason I was going this method was because of a tiered/escalation process of notifying different support groups.

I believe I can make this work though...

My 2 cents escalation alerts don't work well with any log file monitor unless the message continues to hit the log.   The example I always give people is I can scrape a log for the phrase "The server is on fire"  I can scrape 5 min later and not find a second entry.   Doesn't mean the fire is out...just means no new logs. 

Thanks for this! I'm currently testing it in our environment to monitor a few custom log files. However, I'm running into a small issue and wondering if anyone could assist.

Currently the output looks similar to this:

Number of newly found strings 3. Lines that included the error are. 2017-10-26 17:18:30,004 INFO  [com.company.workflow.ejb.ProcessRulesEJB]

(EJB default - 7) processWorkflowRule()- rules to process! 2017-10-26 17:17:39,476 INFO  [com.company.workflow.ejb.ProcessEnrollmentEJB] (EJB

default - 2) processEnrollmentFile() - No enrollments were found 2017-10-26 17:17:29,991 INFO  [com.company.workflow.ejb.ProcessRulesEJB] (EJB

default - 4) processWorkflowRule()- rules to process!

I want it to look like this:

Number of newly found strings 3. Lines that included the error are:

2017-10-26 17:18:30,004 INFO  [com.company.workflow.ejb.ProcessRulesEJB] (EJB default - 7) processWorkflowRule()- rules to process!

2017-10-26 17:17:39,476 INFO  [com.company.workflow.ejb.ProcessEnrollmentEJB] (EJB default - 2) processEnrollmentFile() - No enrollments were found

2017-10-26 17:17:29,991 INFO  [com.company.workflow.ejb.ProcessRulesEJB] (EJB default - 4) processWorkflowRule()- rules to process!

So I made the following changes, which work great when I run an internal test in Solarwinds against the node. However, the output in the alert message and e-mail comes out blank.

If($temp -gt 1)

{

      for ( $i = 1 ; $i -le $temp; $i++ )

      {

            $lines += $resl[$count - $i] + "`n"

      }

      write-host "Message: Number of newly found strings $temp. Lines that included the error are:`n$lines"

}

else

{

      $line = $resl[$resl.Count - 1] + "`n"

      write-host "Message: Number of newly found strings $temp. Lines that included the error are:`n$line"

}

Any ideas what I am doing wrong?

Version history
Revision #:
1 of 1
Last update:
‎03-20-2012 12:00 AM
Updated by: