Short version of my question:
Does the data source Microsoft.Unix.SCXLog.VarPriv.DataSource support regular expression with capturing groups, and if so how is the capturing group referenced in the alert suppression value tag?
A bit more context:
My Linux log file entries look something like this:
2015.09.10D13:05:37.127234000 ERR P 54 52 | "some more stuff
2015.09.10D13:05:40.121244000 INF P 14 52 | "info stuff
2015.09.10D13:06:37.227244000 ERR P 10 10 | "some other stuff
2015.09.10D13:10:32.327251000 ERR P 54 52 | "important stuff"
2015.09.10D13:15:32.427212000 ERR P 99 00 | "more stuff"
So basically a line consists of:
- A timestamp,
- the text ERR in case of an error,
- some id like P 54 52,
- a pipe and
- some text.
I'd like the 5 log entries above to result in only 3 alerts. As the alert for ERR P 54 52 should have a repeat count of 1 (as it happened twice).
A possible regex for this could be:
\d{4}\.\d{2}\.\d{2}D\d{2}:\d{2}:\d{2}\.\d{9} ERR (?<errorcode>P \d{2} \d{2}) \| .*
Above Ive boldfaced the important part, the capturing group named errorcode:
(?<errorcode>P \d{2} \d{2})
Are capturing groups named or numbered supported in this data source? And if so how are they referenced in the alert suppression definition. Im hoping for something like this:
<Suppression>
<SuppressionValue>$Data/RegexMatch/errorcode$</SuppressionValue>
</Suppression>
Or in the case of a numbered capturing group regex:
\d{4}\.\d{2}\.\d{2}D\d{2}:\d{2}:\d{2}\.\d{9} ERR (P \d{2} \d{2}) \| .*
It could be referenced like this:
<Suppression>
<SuppressionValue>$Data/RegexMatch[1]$</SuppressionValue>
</Suppression>
Is something like this possible?
- Edited by Michael Brandt Lassen Thursday, September 10, 2015 4:52 PM misspelled