NetXMS Support Forum

I am trying to parse the windows application event log to look for sql agent jobs failures.
I want the full windows event log text sent over email since there can be a lot of job fails.

Agent parse file configuration looks like this

<parser>
  <file>*Application</file>
  <rules>
    <rule>
      <severity>6</severity>
      <match>(SQL Server Scheduled Job)*(Message: The job failed)*</match>
      <event params="1">100025</event>
    </rule>
  </rules>
</parser>
If I let it configured like this it will only send some generic information.
If I replace <match>(.*)</match> it will send the full event text.
In both situation it will send the message twice.
What am I doing wrong?

Hi!

It probably should be something like this:

<match>(SQL Server Scheduled Job.*Message: The job failed.*)</match>

if you want to capture full text but match only messages with certain words in it.

Best regards,
Victor

Thanks, it worked!
Now I have another issue with establishing a counter for the matched records and displayed in a dashboard.
I think the parameter I need is LogWatch.Parser.MatchedRecords(*) .
Simply placing this parameter in Data Collection Configuration dose not work
What do I need to replace * with in order to run correctly?

Hi!

You should replace * with parser's name. By default parser name is file name (given in <file>), but you can override it with name attribute, like this:

<parser name="AppLog">
  <file>*Application</file>
  <rules>
    <rule>
      <severity>6</severity>
      <match>(SQL Server Scheduled Job)*(Message: The job failed)*</match>
      <event params="1">100025</event>
    </rule>
  </rules>
</parser>

and then use LogWatch.Parser.MatchedRecords(AppLog)

Best regards,
Victor

Once again thanks a lot.
It's working like a charm.