Hi,
On Fri, Dec 19, 2003 at 06:38:14PM -0800, Ian McNish wrote:
>
> i'm trying to catch exceptions from a tomcat log but having troubles
> matching what i'm after. the first line can always be matched with
> '^(.*) - \[(.*)\]: (#####.*)', but unfortionately the first and last
> line look the same. that being said, the first and last line are not
> actually the part i care about. the middle lines, which i want, are a
> mixture of lines of widely varying formats, some start with a time stamp
> others with white space. e.g.:
[...]
> i have tried a nimber of things but keep only matching the first or last
> line, not the stuff in between.
>
> '^(.*) - \[(.*)\]: (#####.*)' - '^(.*) - \[(.*)\]: (#####.*)' - 0
> open '.*' - 1000 180 90
> pipe "/usr/bin/cat -"
>
> i would think the above rule would catch the first "*###*" line, then
> feed everything upto the next "*###*" line into the new context, the new
> context would match everything between. what i'm seeing with this rule
> is a match for only the first line.
Contexts themself are completly inactive (except the default action).
As a result you can't specify a simple regular expresion to end the
context (and invoke the action). In your example you're creating a
rule and this rule (not the context!) will be deleted by a ####...
A valid configuration would start with a simple rule to open a new
conext once a #### line is received. Next you need two additional
rules to deal with the second #### (your end pattern). These additional
rules would need to 1) report the existing context and 2) delete the
context (unless you want to use for more/other purposes).
Here is an example configuration for your setup
===========================================================================
#
# the first ### is the start of a block - the next ### will delete the context
#
' - \[.*\]: #####' - - - 0 continue
rule before
' - \[.*\]: #####' - ' - \[.*\]: #####' - 0 delete '.*'
#
# ...but before we delete it we want to report it :-)
#
' - \[.*\]: #####' - - - 0 continue
rule top
' - \[.*\]: #####' - ' - \[.*\]: #####' - 0 continue report "/usr/bin/cat -" '.*'
#
# if we fall through until here, then open a new context
# (still add a default action in case our end pattern wasn't seen)
#
' - \[.*\]: #####' - - - 0 continue
open '.*' - 1000 180 90 pipe "/usr/bin/cat -"
===========================================================================
Well - the fact that you do use relative timings in the context are
somewhat tricky. If the context triggers the default action (e.g.
after seeing to many lines) then the other ending rules would still
remain in effect.... You're able to delete rules but in this particular
case it's hard to tell what the "correct" way would be. What to you
expect if you don't deal with the end pattern but a few seconds later
it will show up anyway? Use this delayed end pattern as a new start
pattern?
Bye,
Wolfgang.
--
*******************************************************************
Wolfgang Ley Enterprise Services
Software Competence Center Wolfgang.Ley@private
Sun Microsystems GmbH Tel: +49 40 251523-0
Eiffestrasse 80 Fax: +49 40 251523-77
D-20537 Hamburg http://www.sun.de/
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
NOTICE: This email message is for the sole use of the intended
recipient(s) and may contain confidential and privileged infor-
mation. Any unauthorized review, use, disclosure or distribution
is prohibited. If you are not the intended recipient, please
contact the sender by reply email and destroy all copies of the
original message.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
_______________________________________________
LogAnalysis mailing list
LogAnalysis@private
http://lists.shmoo.com/mailman/listinfo/loganalysis
This archive was generated by hypermail 2b30 : Thu Jan 01 2004 - 19:52:29 PST