locked
Event log rule based on eventdescription with wildcards or regular expressions RRS feed

  • Question

  • Hi,

    I'm struggling with several rules that need "EventDescription" as criteria with "Does not match wildcard" or "Does not match regular expression".

    What I did:

    - create a simple event log rule

    - with criteria: Event Level, Event Source

    All works fine.

    But then I needed to add the description as criteria, so I used "Use parameter name not specified above" and typed EventDescription.

    When I used:

    - "does not match wild card" with Value: *first part of text*second part of text*

    - "does not match regular expression "with Value: ^.*(first part of the text.*second part of the text).*$  (also tried this without the (), but I want to use the group so I can use also the | or-sign)

    I got the following error:

    The Microsoft Operations Manager Expression Filter Module failed to process a data item and dropped it.

    Error: 0x80004005

    How do I solve this? I have to be able to filter out these parts of text and sometimes it's more than one sort of text pattern.

    Regards,

    Peter

    Tuesday, February 8, 2011 3:29 PM

Answers

  • they should just build in a regex check function imho like they did in the unix monitoring part.

    Not sure if this is true for scom, but for mom spaces in a text string were never picked up correctly. To use a space in a regex you had to use [ ], but i usually replaced the space with a dot (of course this could theoretically result in a incorrect match as you'd assign "any char" to a space).

    Btw, it's usually not a smart thing to do to use text from the description. When you can use parameters for filtering try and use them instead.


    Rob Korving
    http://jama00.wordpress.com/
    • Proposed as answer by Nicholas Li Thursday, February 10, 2011 3:59 AM
    • Marked as answer by Nicholas Li Monday, February 28, 2011 1:48 AM
    Wednesday, February 9, 2011 2:34 PM
  • Somethng to keep in mnd - what you see in the event viewer in the description field may not be what is in the data stream.  When an event is built using parameters, the parameter values are not part of the text that can be compared directly.

    Guidance wise: Consider using . characters - e.g. ".*" means any character followed by any number of any character" when using regular expressions. 

    Also, the wildcard characters may need to be SQL wild card characters % in some cases.

     

    There are many examples of queries in these forums on regular expressions - so try searchng as well.


    Microsoft Corporation
    • Proposed as answer by Nicholas Li Thursday, February 10, 2011 3:59 AM
    • Marked as answer by Nicholas Li Monday, February 28, 2011 1:48 AM
    Wednesday, February 9, 2011 8:07 PM
  • Yes,

    I asked the developers for quite some time to use those parameters, but they don't seem to get it right. Even if I gave them the code to do it. :-)

    I managed to solve it with 'AND' and 'OR' groups and using 'contains'.

    It's much more work, but OpsMgr seems to understand that.

    • Marked as answer by Nicholas Li Monday, February 28, 2011 1:49 AM
    Wednesday, February 23, 2011 3:36 PM

All replies

  • they should just build in a regex check function imho like they did in the unix monitoring part.

    Not sure if this is true for scom, but for mom spaces in a text string were never picked up correctly. To use a space in a regex you had to use [ ], but i usually replaced the space with a dot (of course this could theoretically result in a incorrect match as you'd assign "any char" to a space).

    Btw, it's usually not a smart thing to do to use text from the description. When you can use parameters for filtering try and use them instead.


    Rob Korving
    http://jama00.wordpress.com/
    • Proposed as answer by Nicholas Li Thursday, February 10, 2011 3:59 AM
    • Marked as answer by Nicholas Li Monday, February 28, 2011 1:48 AM
    Wednesday, February 9, 2011 2:34 PM
  • Somethng to keep in mnd - what you see in the event viewer in the description field may not be what is in the data stream.  When an event is built using parameters, the parameter values are not part of the text that can be compared directly.

    Guidance wise: Consider using . characters - e.g. ".*" means any character followed by any number of any character" when using regular expressions. 

    Also, the wildcard characters may need to be SQL wild card characters % in some cases.

     

    There are many examples of queries in these forums on regular expressions - so try searchng as well.


    Microsoft Corporation
    • Proposed as answer by Nicholas Li Thursday, February 10, 2011 3:59 AM
    • Marked as answer by Nicholas Li Monday, February 28, 2011 1:48 AM
    Wednesday, February 9, 2011 8:07 PM
  • I found the problem, but not the solution :-(

    It's a problem when I use "EventDescription" and "match wildcard or regular expression" and when the event description has a "Carriage Return" in it.

    For this problem, but on Windows 2008, I already logged a thread. But this thread was removed and never answered(:reorganisation of this forum?)

    I think it's a bug in OpsMgr, because it's both on Windows 2003 and 2008 and it worked in MOM2005.

     

    Rob, I know that it's not recommended to use text from the EventDescription. But for now it's the only way I can monitor the applications.

    The application logs different calls with the same eventID and source. 

    So, event description is the only option.

    Thursday, February 10, 2011 6:06 PM
  • are you sure?

    a lot of time a description is just something like: the %1 failed to start because error %2 has occured. Those parameters can be filtered on without actually looking at the description. It might be not sufficient for your scenario, but probably worth to take a look at.


    Rob Korving
    http://jama00.wordpress.com/
    • Proposed as answer by Nicholas Li Monday, February 21, 2011 6:22 AM
    Wednesday, February 16, 2011 9:19 AM
  • Yes,

    I asked the developers for quite some time to use those parameters, but they don't seem to get it right. Even if I gave them the code to do it. :-)

    I managed to solve it with 'AND' and 'OR' groups and using 'contains'.

    It's much more work, but OpsMgr seems to understand that.

    • Marked as answer by Nicholas Li Monday, February 28, 2011 1:49 AM
    Wednesday, February 23, 2011 3:36 PM