Sandeepan Nath Sandeepan Nath - 13 days ago 6
Linux Question

Unable to correctly parse out log lines containing particular keyword using nginx logwarn

With the following log line added after the last invocation of check_logwarn command -

[Tue Nov 22 11:04:03 2016] [hphp] [10755:7f41af3ff700:6272:000001] [] SlowTimer [2086ms] at runtime/ext_m
ysql: slow query: SELECT b.bannerid, b.campaignid FROM ox_banners b, ox_campaigns c WHERE b.campaignid =
c.campaignid AND (b.status = 0 OR b.`updated` >= now() - INTERVAL 7 DAY) AND (c.status = 0 OR c.`updated`
>= now() - INTERVAL 7 DAY) AND b.updated >= '2016-11-22 11:03:01';


The following logwarn command, looking for
SlowTimer
, finds a matching log, as I expect (output is the entire log line which was added after the last invocation of the command) -

/usr/local/nagios/libexec/check_logwarn -d /tmp/logwarn_hiphop_error /mnt/log/hiphop/error_`(date +'%Y%m%d')`.log ".*SlowTimer.*"


However, the following command looking for
SlowTimers
also finds a matching log, which I do not expect -

/usr/local/nagios/libexec/check_logwarn -d /tmp/logwarn_hiphop_error /mnt/log/hiphop/error_`(date +'%Y%m%d')`.log ".*SlowTimers.*"


I tested the regex on https://regex101.com/, and
/.*SlowTimer.*/g
matches whereas
/.*SlowTimers.*/g
does not match anything. I think this is pretty simple regex and works similar across the various flavors.

When the command does not find anything matching (e.g. when there is no new log line after the last invocation), this is the output I get -

OK: No log errors found


I am expecting the above output when I look for
.*SlowTimers.*
.

Please find logwarn Manual for reference.

Answer

Think you may need to use the -p flag:

 -p      Change default match behavior to non-matching.  By default, if a log
         message doesn't match any of the positive or negative patterns, it is
         considered a match.  This flag reverses this behavior so that these
         messages are considered non-matches.

Also I could be wrong about this but think the regex could be simplified to SlowTimers rather than .*SlowTimers.*. It isn't specifying start (^) and end ($) so could appear anywhere in the text.

Comments