topic Re: Log Monitoring in Alerting

Alerting based on the starting line in the log file

sundarv1 — Fri, 18 Oct 2024 08:28:12 GMT

content="ORA-128 error "

content="dynatrace alert ORA-128"

We want to generate alert if "ORA-" starting of the line in log file , not in the middle. How do we do it?.

Re: Log Monitoring

sattilas — Sun, 21 Apr 2024 17:09:56 GMT

Hi sundarv1,

Easiest way is to add a processing rule: If content starts with ORA-, add a field ora.error = "TRUE", like this:

USING(content) | FIELDS_ADD(ora.error:IF_THEN(STARTS(content,"ORA-"),"TRUE"))

Based one that field, you can create an events extraction referencing ora.error="TRUE" in log query.

Hope that helps.

Best,

Attila

Re: Log Monitoring

sundarv1 — Sun, 21 Apr 2024 17:17:39 GMT

Thanks. Where I do create processing rule. Do I need this condition in the event extraction?

Re: Log Monitoring

sattilas — Sun, 21 Apr 2024 17:27:13 GMT

You can create processing rule under settings/Log monitoring/Processing, you should put the code in processor definition.

If the code works, then you can set up Events extraction.

Re: Log Monitoring

sundarv1 — Mon, 22 Apr 2024 09:31:07 GMT

1. How to add to Mutiple logs in the matcher condition.?

2. How to create event extraction based on the processing rule?

3. Do we still needs to create log ingest rules and custom log sources?.

Re: Log Monitoring

sattilas — Tue, 23 Apr 2024 08:35:30 GMT

Hi,

Custom log source: You need to add custom log source, if you can not see the log under the Host's Log source dashlet. DT automatically recognize log files, but not all are automatically recognized.

Ingestion rules: If you want to analyze logs with DT, you have to add log ingest rule, to tell DT, that it should analyze the log file. After log ingest rule enabled, you can see the log content in DT's Logs dashboard. Otherwise DT won't analyze the log.

Processing rules: If you want to process the log you captured (for example extract additional attributes, values from content) you have to create processing rules. You can add multiple matcher definitions using AND or OR operators.

Event or Metric extraction: Using attributes you can create Events, alerts, or metrics from the processed log.

This is just a short intoduction to the topic, please refer the documentation.

https://docs.dynatrace.com/docs/observe-and-explore/log-monitoring

Best,

Attila

Re: Log Monitoring

sundarv1 — Tue, 23 Apr 2024 09:04:13 GMT

Thanks. How to add multiple log file in the log watcher?

Re: Log Monitoring

sundarv1 — Wed, 24 Apr 2024 15:29:59 GMT

Thanks Sattilas. solution worked.

 FIELDS_ADD(ora.error:IF_THEN(STARTS(content,"ORA-"),"TRUE"))

one more request - If it starts with ORA and but if it is ORA-1013 - don;t create alert.

How do we do this.

Re: Log Monitoring

sattilas — Wed, 24 Apr 2024 18:35:37 GMT

Hi,

I'm glad I could help 🙂

The solution to your last question, if it starts with "ORA-", except "ORA-1013" is:

FIELDS_ADD(ora.error:IF_THEN(STARTS(content,"ORA-") AND NOT STARTS(content,"ORA-1013"),"TRUE"))

Best,

Attila

Re: Log Monitoring

sundarv1 — Tue, 14 May 2024 04:45:05 GMT

Hi Sattilas

How do we display host IP Address in the Log Monitoring incdients. Currently we are getting Host name only

Thanks

Sundar.v

Re: Log Monitoring

sundarv1 — Wed, 10 Jul 2024 15:07:00 GMT

How do we map to Servicenow Group to the log monitoring so that incident directly assign to group for log events?