Creating Log Check Triggers with a General Error Trigger + Triggers for Known Errors
I am attempting to write a series of triggers for a single log check item.
I want to have a starting trigger that catches any unknown string of "ERROR", this is easy enough to do. I want to be able to incrementally add known errors that can trigger in its place, such as "ERROR: INVALID LOGIN" which can trigger multiple times, and another trigger such as "FATAL ERROR: CANNOT MISSING DEPENDENCY" which I want to have as a single trigger that will not spawn constant alerts.
I made these examples up, but I hope the idea is clear.
I originally tried using dependencies, because I didn't understand them well. This created a problem with the default general trigger never activating when an another trigger was active.
My current thinking is that the general trigger should have a problem expression that does and AND !(other trigger expressions). This seems messy and not like the best means to do this.
I don't like my solution to this - its painful and doesn't seem to scale well. Is there a best practice I'm not seeing?
I want to have a starting trigger that catches any unknown string of "ERROR", this is easy enough to do. I want to be able to incrementally add known errors that can trigger in its place, such as "ERROR: INVALID LOGIN" which can trigger multiple times, and another trigger such as "FATAL ERROR: CANNOT MISSING DEPENDENCY" which I want to have as a single trigger that will not spawn constant alerts.
I made these examples up, but I hope the idea is clear.
I originally tried using dependencies, because I didn't understand them well. This created a problem with the default general trigger never activating when an another trigger was active.
My current thinking is that the general trigger should have a problem expression that does and AND !(other trigger expressions). This seems messy and not like the best means to do this.
Code:
{Template Application Custom:log[{$APPLICATION.LOGS.DIR}/error.log].regexp(ERROR,10)}=1
AND {Template Application Custom:log[{$APPLICATION.LOGS.DIR}/error.log].regexp(ERROR: INVALID LOGIN,10)}=0
AND {Template Application Custom:log[{$APPLICATION.LOGS.DIR}/error.log].regexp(FATAL ERROR: CANNOT MISSING DEPENDENCY,10)}=0
I don't like my solution to this - its painful and doesn't seem to scale well. Is there a best practice I'm not seeing?