Ad Widget

Collapse

Search for multiple strings in logs using Logrt()

Collapse
X
Collapse
 
  • Page of 1
  • Time
  • Show
Clear All
new posts
Previous template Next
  • J_Adatasol
    Member
    • Dec 2018
    • 74
    #1

    Search for multiple strings in logs using Logrt()

    I'm trying to setup some log file monitoring to search for errors that are added to the log. I was able to get the basic functionality working, where it would find a particular string in the log and fire off a Trigger in the Zabbix server. Then it would also recover, when it met the parameters. That's all fine.

    However, I need to search that same log file for one of two different error strings - I want to activate the Trigger for either error (an OR logic test). I've not been able to figure out how to get that done yet. I saw another posting where they just included a pipe between the terms, but that's not working for me - when I try it I get an error back from Zabbix configuration after clicking 'Update'.

    This one works (it has been slightly modified for this posting, but the general pattern is sound):
    Code:
    {Template_1:logrt["C:\Program Files\Logs\Event.log","process has terminated",,4,,,].nodata(60)}=0
    If I try a very simple change, I get an error when trying to save the new string:
    Code:
    {Template_1:logrt["C:\Program Files\Logs\Event.log","process hassss terminated",,4,,,].nodata(60)}=0
    What I ultimately am looking for is two different strings:
    Code:
    {Template_1:logrt["C:\Program Files\Logs\Event.log","process has terminated|process exited",,4,,,].nodata(60)}=0

    The error I get back when trying to save it is:
    Code:
    Details     Cannot update trigger[LIST][*]Incorrect item key "logrt["C:\Program Files\Logs\Event.log","process has terminated|process exited",,4,,,]" provided for trigger expression on "Template_1".[/LIST]
    Anyone have any tips on getting this to work?
    Tags: None
    • DmitryL
      Senior Member
      Zabbix Certified SpecialistZabbix Certified Professional
      • May 2016
      • 278
      #2
      If you need to change the strings that you want to look for, you need to do that in the Item configuration, not in the trigger.
      You can use item key in trigger expression only 1:1 match with item you have configured.

        Comment

        • J_Adatasol
          Member
          • Dec 2018
          • 74
          #3
          Doh! Holy cow - I knew it would be something easy. Thanks for pointing out my error.

          I updated my item...now to wait and see if it works!

            Comment

            • J_Adatasol
              Member
              • Dec 2018
              • 74
              #4
              So, I got that part straightened out - I added the 2nd string that I'm searching for to my Item, using the pipe symbol. Here's the Item setup (roughly):
              Code:
              logrt["C:\Program Files\Logs\Events.log","process has terminated|process (NAME) is stopped",,4,,,]
              But it's not finding instances of the 2nd string. I tried swapping their positions (1st string <-> 2nd string), and that didn't change things - so it's not simply the position of the string.

              I think it has to do with the parenthesis around "NAME". These need to be literal strings, not a regex grouping. This is the content of the string as it appears in the log file.

              I tried escaping them, like:
              Code:
              process \(NAME\) is stopped
              But that doesn't appear to have worked. Does anyone know of how I can include a literal parenthesis in my Zabbix Logrt() search string?

                Comment

                • J_Adatasol
                  Member
                  • Dec 2018
                  • 74
                  #5
                  Errr...wait - it appears that the escaped parenthesis is now working:

                  Code:
                  "process \(NAME\) is stopped"
                  does appear to work.

                    Comment

                    Previous template Next
                    Working...