Log Monitor Probe returns values of greater than 4,000 characters

Document ID : KB000117339
Last Modified Date : 25/10/2018
Show Technical Document Details
Introduction:
logmon probe is creating alarms with more than 4,000 characters. These are then passed to Spectrum, which in turn emails the engineer assigned to the alarm. There is a limit of 4117 characters in the field for emailing purposes. Is it possible to reduce the size of the logmon alarm message being sent so the logmon alarm message can be displayed correctly in the email?
Question:
Is it possible to reduce the size of the logmon alarm message being sent so the logmon alarm message can be displayed correctly in the email?
Environment:
UIM 8.51
logmon 4.00
Answer:
It is possible to control the number of characters in the logmon probe alarm from a Watcher Rule by carefully configuring the regular expression match string in the watcher rule, then using variables to build the alarm message.

For example, if the Watcher Rule must match any line that starts with the string:

Exception

and you need as much of the message in the log file so that the alarm message you generate does not exceed 4000 characters, but the rest of the matched line can contain anything or any number of characters, you can use a regular expression similar to the following:

/(^Exception)([\s\S]{0,3991}).*$/

Here's is an explanation of this regular expression:

(^Exception)

This matches the literal string "Exception" at the beginning of the line. The () around the string mark this as match group 1.

([\s\S]{0,3991})

This matches from 0 to 3991 occurrences of any character or white space. Again, the () around the match string mark this as match group 2.
Assuming that you want to include the string in the first match group in the alarm message and need to keep the alarm message from exceeding 4000 characters, you have to limit the number of characters you will match in this second group.  Since the initial match string contains 9 characters, you do not want to match more than 3991 additional characters in the string.

,*$

This matches any additional characters after the first 4000 characters.

On the Variables tab of the Watcher Rule, you would then define 2 variables using the match group number to identify the position of the match group in the matched line.  Here are examples of defining 2 variables, Exception and content, which will be used to generate the alarm:

Variable setting for first regular expression match group
Variable setting for second regular expression match group

Finally, create the message to be generated when the Watch Rule matches a string in the monitoring file using the variables crated.
In this example, a sample alarm message can be:

${Exception}${content}

If you wish to enhance the alarm message (include the profile name, watcher rule, monitored log file, etc), and have to maintain a 4000 character max limit in the alarm message, then correct the match range for the second match group in the regular expression - {0,3991} - decreasing the max number of characters to match after the initial Exception string.