PATROL LOG KM Examples - Part 1: Sending one alert per polling cycle

Sorry for not posting for two weeks as I was out of country where I was not able to access this blog.

PATROL LOG KM is one of the most commonly used KMs.  By design, each LOG KM instance monitors one log file.  Two important parameters in LOG KMs are LOGErrorLvl and LOGMatchString. When a string pattern is found in the log file, LOGErrorLvl will go to alarm and the matched log entry will be saved in LOGMatchString. Since you can configure LOG KM to search for multiple string patterns in each log file, all matched log entries are saved together in one LOGMatchString parameter.

If you would like to send all matched log entries as one alert, you can use recovery action to generate an event and send to BPPM/BEM cell.  I have seen many examples that use variable '__udefvar__' in pconfig rules.  But  '__udefvar__' only works with PATROL Notification Server. If you don't use PATROL Notification Server as it is optional to use it prior to PATROL agent 9.x and there is no need to use it with PATROL agent 9.x, you can use event_trigger2() PSL call instead. Here is an example pconfig rule set and PSL code.

Pconfig rule:

"/AS/EVENTSPRING/LOGMON/__ANYINST__/LOGErrorLvl/arsAction" = { REPLACE = "6" },
"/AS/EVENTSPRING/LOGMON/__ANYINST__/LOGErrorLvl/arsCmdType" = { REPLACE = "PSL"},
"/AS/EVENTSPRING/LOGMON/__ANYINST__/LOGErrorLvl/arsCommand" = { REPLACE = "C:\\BMC\\Patrol3\\lib\\psl\\LOGKM_RecoveryAction.psl" }

LOGKM_RecoveryAction.psl code: 

sleep(1);

message = get("/LOGMON/". __instance__."/LOGMatchString/value");

inst= get("/LOGMON/". __instance__."/name");

event_trigger2(inst."/LOGMatchString","STD", "41", ALARM, 4, message);

set("/LOGMON/".__instance__."/LOGErrorLvl/value", 1);

A few things to notice here:

1. You can embed the entire PSL script into "/AS/EVENTSPRING/LOGMON/__ANYINST__/LOGErrorLvl/arsCommand" pconfig variable with some '\' to escape newlines and "()" symbols, etc.

2. The sleep statement in the first line would give PATROL agent enough time to finish writing a big block of data into LOGMatchString.

3. The set statement in the last line sets parameter LOGErrorLvl back to OK state immediately after the recovery action.  Recovery action is triggered by state change.  When another string pattern is found again in the next polling cycle, if the state of parameter LOGErrorLvl remains in ALARM state without going back to OK in between, the recovery action won't be triggered.