Sandeepan Nath Sandeepan Nath - 8 months ago 38
Linux Question

Unable to correctly parse out log lines containing particular keyword using nginx logwarn

With the following log line added after the last invocation of check_logwarn command -

[Tue Nov 22 11:04:03 2016] [hphp] [10755:7f41af3ff700:6272:000001] [] SlowTimer [2086ms] at runtime/ext_m
ysql: slow query: SELECT b.bannerid, b.campaignid FROM ox_banners b, ox_campaigns c WHERE b.campaignid =
c.campaignid AND (b.status = 0 OR b.`updated` >= now() - INTERVAL 7 DAY) AND (c.status = 0 OR c.`updated`
>= now() - INTERVAL 7 DAY) AND b.updated >= '2016-11-22 11:03:01';

The following logwarn command, looking for
, finds a matching log, as I expect (output is the entire log line which was added after the last invocation of the command) -

/usr/local/nagios/libexec/check_logwarn -d /tmp/logwarn_hiphop_error /mnt/log/hiphop/error_`(date +'%Y%m%d')`.log ".*SlowTimer.*"

However, the following command looking for
also finds a matching log, which I do not expect -

/usr/local/nagios/libexec/check_logwarn -d /tmp/logwarn_hiphop_error /mnt/log/hiphop/error_`(date +'%Y%m%d')`.log ".*SlowTimers.*"

I tested the regex on, and
matches whereas
does not match anything. I think this is pretty simple regex and works similar across the various flavors.

When the command does not find anything matching (e.g. when there is no new log line after the last invocation), this is the output I get -

OK: No log errors found

I am expecting the above output when I look for

Please find logwarn Manual for reference.

Answer Source

Think you may need to use the -p flag:

 -p      Change default match behavior to non-matching.  By default, if a log
         message doesn't match any of the positive or negative patterns, it is
         considered a match.  This flag reverses this behavior so that these
         messages are considered non-matches.

Also I could be wrong about this but think the regex could be simplified to SlowTimers rather than .*SlowTimers.*. It isn't specifying start (^) and end ($) so could appear anywhere in the text.