[collectd] baffled by tail regex

Clay Loveless clay at killersoft.com
Sun Apr 25 20:46:21 CEST 2010 

Hi folks,

I'm running collectd 4.9.2.

I'm tailing a log file, looking for a number. My tail config looks like this:

LoadPlugin tail              
<Plugin tail>
  <File "/opt/splunk/var/log/splunk/scheduler.log">
    Instance "splunk-scheduler-log"       
    <Match> 
      Regex "monitor_lighty_hosts__splunkalerts.*result_count=(\d+)"
      DSType "CounterSet"
      Type "counter"
      Instance "lighty_hostcount"
    </Match>
  </File>
</Plugin>


The log file in question contains a lot of entries, but the ones I'm looking for look like this:

04-25-2010 18:35:14.087 INFO  SavedSplunker - savedsearch_id="nobody;FooSearch;monitor_lighty_hosts__splunkalerts", user="nobody", app="FooSearch", savedsearch_name="monitor_lighty_hosts__splunkalerts", status=success, scheduled_time=1272220500, dispatch_time=1272220504, run_time=8.064, result_count=31, alert_actions="", sid="scheduler__nobody__FooSearch_bW9uaXRvcl9saWdodHlfaG9zdHNfX3NwbHVua2FsZXJ0cw_at_1272220500_317731676", thread_id="AlertNotifierWorker-0"


Every flavor of regular expression I've tried for picking out the result_count seems to be failing. Variants I've tried, all of which work outside of collectd, are:

monitor_lighty_hosts__splunkalerts.*result_count=(\d+)
monitor_lighty_hosts__splunkalerts.+result_count=([0-9]+)
monitor_lighty_hosts__splunkalerts.+result_count.([0-9][0-9])
monitor_lighty_hosts__splunkalerts.*result_count.([^,]+),


My threshold for alerts block is set up like this:

<Threshold>
  <Plugin "tail">
    <Type "counter">
      Instance "lighty_hostcount"
      WarningMin 31
    </Type>
  </Plugin>    
</Threshold>


I want to get an email when the result_count of the log in question drops below 31. Based on my understanding, this should be working as configured above. However, I'm getting emails stating:


Message: Host i-ad3d7cc5, plugin tail (instance splunk-scheduler-log) type counter (instance lighty_hostcount): Data source "value" is currently 0.000000. That is below the warning threshold of 31.000000.



Why aren't any of my regex flavors matching? I've tested out many different variants against this log file, and can get '31' as the first subexpression match every time. Is there something about the regex flavor that <Match> uses within Tail that I don't understand?

Thanks in advance!

Regards,
Clay


--
Clay Loveless
Founder
w: http://killersoft.com
t: @claylo

More information about the collectd mailing list