Hello,
I'm new to regex and trying to get this right. this is the item I currently have (which almost never fires a trigger - I think it's too insensitive or something)
I'm trying to have a generalistic item that will look for any the normal status codes and generate an alarm. IIS w3svc log files follow a certain pattern in their status codes, both examples below are possible:
The important thing is the first 3 digits for us.
I went online and learnt a little more about regex and came up with this 'beauty':
My problem is that when I plug it into https://regex101.com and I put a dump of an IIS log, it only finds one match and stops processing. Infact I'm not sure if this is a problem? The point is to send us an alarm if it finds a bad result "since the last time it checked". The situation is confusing me just a little, and any guidance would be appreciated!
I'm new to regex and trying to get this right. this is the item I currently have (which almost never fires a trigger - I think it's too insensitive or something)
Code:
logrt["C:\inetpub\logs\LogFiles\W3SVC8\^.*log$","([-]\s400\s|[-]\s401\s|[-]\s403\s|[-]\s404\s|[-]\s500\s|[-]\s503\s|[-]\s504\s)","UTF-8","100","all",]
Code:
200 0 0 0 200 555 555 555
I went online and learnt a little more about regex and came up with this 'beauty':
Code:
\s500\s\d{1,3}\s\d{1,3}\s\d{1,3}|\s400\s\d{1,3}\s\d{1,3}\s\d{1,3}|\s404\s\d{1,3}\s\d{1,3}\s\d{1,3}|\s403\s\d{1,3}\s\d{1,3}\s\d{1,3}|\s401\s\d{1,3}\s\d{1,3}\s\d{1,3}|\s503\s\d{1,3}\s\d{1,3}\s\d{1,3}|\s504\s\d{1,3}\s\d{1,3}\s\d{1,3}
Comment