NTEVL: How to capture a value via regex

Document ID : KB000115665
Last Modified Date : 12/12/2018
Show Technical Document Details
Introduction:
In this use case, the customer has a a very long application log event message that does not have a clear column definition (meaning the column separators such as , . or space cannot be used reliably), and needs to extract some crucial information to use in variables to put these into a meaningful alarm message.

 
Background:
To further explain the use case, a sample of the event structure:

" Alert:Data Protection, Job <status> CommCell: <system> Client: <hostname> Application:<application with spaces> Subclient: <system> Backup set: <name> Instance: <hostname> MediaAgent: <name with spaces> Storage Policy: <name> Library: <name> User:<username> DA Description:<status> Criteria: <result> , Client: <hostname> , Agent Type: <application>, Instance: <hostname>, Backup Set: <name> , Subclient: <system> , Status: <status>, Job ID: <INT>, Error Code: <error>, Failure Reason: <message> "

Due to the nature of some of the values, you cannot use the column function to set your variable value. Instead, you would need to use a regex to find the value (s) you need and then be able to put these into a meaningful alarm message.

 
Environment:
NTEVL any version
Instructions:
In your NTEVL profile, the regex to capture the value you want must be in the message string field.

Example: /((?<=Client:).*?(?=\s)).*((?<=Subclient: ).*?(?=\s)).*((?<=Job ID: ).*?(?=\s))/   

This captures all three required variables . On the variables tab you then create a variable, with the "source from" as "match expression" and on the "threshold" you use the operator "RE" with a threshold of "1". You then switch to "character position" and enter "1"  as well and then switch back to "match expression" and confirm with "OK". This how it should look like:
Variable Settings
This will then return the first value of the regex expression from the message string. In order to have more than one value (for other variables), the regex you use would need to return more than one value. And on the variable you would then set the threshold to 2 etc. 

You can then uses these variables in your alarm message to receive a smaller, usable alarm message based on the event.