cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Alerting based on the starting line in the log file

sundarv1
Organizer

content="ORA-128  error "

content="dynatrace alert ORA-128"

We want to generate alert if "ORA-" starting of the line in log file , not in the middle.  How do we do it?.

10 REPLIES 10

sattilas
Observer

Hi sundarv1,

Easiest way is to add a processing rule: If content starts with ORA-, add a field ora.error = "TRUE", like this:

USING(content)

|  FIELDS_ADD(ora.error:IF_THEN(STARTS(content,"ORA-"),"TRUE"))

Based one that field, you can create an events extraction referencing ora.error="TRUE" in log query.

Hope that helps.

Best,

Attila

 

Thanks. Where I do create processing rule. Do I need this condition in the event extraction?

You can create processing rule under settings/Log monitoring/Processing, you should put the code in processor definition.

sattilas_0-1713720168544.png

If the code works, then you can set up Events extraction.

 

 

1. How to add to Mutiple logs in the matcher condition.?

2. How to create event extraction based on the processing rule?

3. Do we still needs to create log ingest rules and custom log sources?.

Hi,

Custom log source: You need to add custom log source, if you can not see the log under the Host's Log source dashlet. DT automatically recognize log files, but not all are automatically recognized.

Ingestion rules: If you want to analyze logs with DT, you have to add log ingest rule, to tell DT, that it should analyze the log file.  After log ingest rule enabled, you can see the log content in DT's Logs dashboard. Otherwise DT won't analyze the log.

Processing rules: If you want to process the log you captured (for example extract additional attributes, values from content) you have to create processing rules. You can add multiple matcher definitions using AND or OR operators.

Event or Metric extraction: Using attributes you can create Events, alerts, or metrics from the processed log.

This is just a short intoduction to the topic, please refer the documentation.

https://docs.dynatrace.com/docs/observe-and-explore/log-monitoring

 

Best,

Attila

 

 

 

 

Thanks. How to add multiple log file in the log watcher?

Thanks Sattilas. solution worked.

 FIELDS_ADD(ora.error:IF_THEN(STARTS(content,"ORA-"),"TRUE"))

 one more request - If it starts with ORA and but if it is ORA-1013 - don;t create alert. 

How do we do this. 

Hi,

I'm glad I could help 🙂

The solution to your last question, if it starts with "ORA-", except "ORA-1013" is:

 FIELDS_ADD(ora.error:IF_THEN(STARTS(content,"ORA-") AND NOT STARTS(content,"ORA-1013"),"TRUE"))

Best,

Attila

 

 

 

Hi Sattilas

How do we display host IP Address in the Log Monitoring incdients. Currently we are getting Host name only

Thanks

Sundar.v

 

 

How do we map to Servicenow Group to the log monitoring so that incident directly assign to group for log events?

Featured Posts