Here is the search:
index="brm" host="a-brmapp*" source="/opt/portal/pin/7.5/var/cm/cm.pinlog" PIN_ERR_STORAGE
Now, it DOES find two matches. They are as follows:
D Wed Jan 7 17:10:09 2015 a-brmapp1.corp.com cm:37041 cm_child.c(120):1016 1:a-brmpipe1:UnknownProgramName:0:AWT-EventQueue-0:7:1420650609:0 cm_pcm_op_call_stack ... 3 lines omitted ... 0.001977829 .Exit PCM_OP_SEARCH (0x0) - from DM 0.0.0.1 0.002006352 Exit PCM_OP_SEARCH (0x0) PIN_ERR_STORAGE
E Wed Jan 7 07:39:32 2015 a-brmapp1.corp.com cm:70115 cm_child.c(120):4723 1:a-brmapp1.corp.com:rax_gen_bill_object:70064:-362808464331:1420616372:250 ... 2 lines omitted ... 0 PIN_FLD_POID POID [0] 0.0.0.1 /procedure -1 0 0 PIN_FLD_ERR_BUF ERR [0] <location=PIN_ERRLOC_DM:4 class=UNKNOWN:0 errno=PIN_ERR_STORAGE:43> <field num=0:0,0 recid=0 reserved=1422 reserved2=0 time(sec:usec)=0:0>
The first match was a test whereby we echoed the string (PIN_ERR_STORAGE) into the log. It matched this one and triggered an alert. The second match is an actual entry in the log file. Running the search manually finds the entry, but, it doesn't trigger an alert.
It seems the only way to get this to work is to include the entire string "errno=PIN_ERR_STORAGE" as follows:
index="brm" host="a-brmapp*" source="/opt/portal/pin/7.5/var/cm/cm.pinlog" "errno=PIN_ERR_STORAGE"
Result:
E Wed Jan 7 07:39:32 2015 a-brmapp1.corp.com cm:70115 cm_child.c(120):4723 1:a-brmapp1.corp.com:rax_gen_bill_object:70064:-362808464331:1420616372:250 ... 2 lines omitted ... 0 PIN_FLD_POID POID [0] 0.0.0.1 /procedure -1 0 0 PIN_FLD_ERR_BUF ERR [0] <location=PIN_ERRLOC_DM:4 class=UNKNOWN:0 errno=PIN_ERR_STORAGE:43> <field num=0:0,0 recid=0 reserved=1422 reserved2=0 time(sec:usec)=0:0>
Can anyone please tell me how I can match ANY string containing "PIN_ERR_STORAGE"?
Thank you in advance!
... View more