Logmon Probe Scan Mode URL- Unexpected Alarms

Products

NIMSOFT PROBES DX Infrastructure Management

Issue/Introduction

I am using logmon probe to monitor a URL http://host.domain.com/LogsForServiceNow/03122019.txt

The content of the url is something like below :

PEPSICOSELL TURKEY,GO TO MARKET APPLICATION SUPPORT (PROFE) TURKEY,HIGH,MonitoringJob Hata Bildirimi DCStockBalanceTransferJob

PEPSICOSELL TURKEY,GO TO MARKET APPLICATION SUPPORT (PROFE) TURKEY,HIGH,MonitoringJob Hata Bildirimi CustomerProductCodeJob

PEPSICOSELL TURKEY,GO TO MARKET APPLICATION SUPPORT (PROFE) TURKEY,HIGH,MonitoringJob Hata Bildirimi SegmentActivePasiveJob

Regex Used : /(PEPSICOSELL TURKEY),(.*),(.*),(.*)/

While using the regex and implementing the suppression key as the 4th variable, I am expecting 3 alarms in the console but only 1 alarm is being triggered.

This is not an expected outcome, but the same regex when used on a plain text file I am getting 3 alarms.

Is there a bug in the probe or some restrictions which we can not use while scanning a URL via logmon.

Cause

the URL scan works differently than a file scan.
With a file scan, each line is read individually and the matches checked against it.
when doing a URL scan the entire returned response is treated as a single line.

Environment

UIM 9.X and earlier
LOGMON 4.11
url_response 4.46

Resolution

this is working as designed.
when reading in the URL information the probe is reading this in as a single entry and checking for a match.
It does not do a check on each line as a file read does.

Below is from the logs files.

Dec 12 11:21:30:927 [7760] logmon: lgm: Read File
Dec 12 11:21:30:927 [7760] logmon: lgm: read the line: [PEPSICOSELL TURKEY,GO TO MARKET APPLICATION SUPPORT (PROFE) TURKEY,HIGH,MonitoringJob Hata Bildirimi DCStockBalanceTransferJob PEPSICOSELL TURKEY,GO TO MARKET APPLICATION SUPPORT (PROFE) TURKEY,HIGH,MonitoringJob Hata Bildirimi CustomerProductCodeJob PEPSICOSELL TURKEY,GO TO MARKET APPLICATION SUPPORT (PROFE) TURKEY,HIGH,MonitoringJob Hata Bildirimi SegmentActivePasiveJob PEPSICOSELL TURKEY,GO TO MARKET APPLICATION SUPPORT (PROFE) TURKEY,HIGH,MonitoringJob Hata Bildirimi ErpAlwDocumentGiroTransferJob PEPSICOSELL TURKEY,GO TO MARKET APPLICATION SUPPORT (PROFE) TURKEY,HIGH,MonitoringJob Hata Bildirimi DCStockBalanceTransferJob PEPSICOSELL TURKEY,GO TO MARKET APPLICATION SUPPORT (PROFE) TURKEY,HIGH,MonitoringJob Hata Bildirimi SurveyFrequencyGeneratorJob PEPSICOSELL TURKEY,GO TO MARKET APPLICATION SUPPORT (PROFE) TURKEY,HIGH,MonitoringJob Hata Bildirimi DCStockBalanceTransferJob PEPSICOSELL TURKEY,GO TO MARKET APPLICATION SUPPORT (PROFE) TURKEY,HIGH,MonitoringJob Hata Bildirimi LogWriterJob PEPSICOSELL TURKEY,GO TO MARKET APPLICATION SUPPORT (PROFE) TURKEY,HIGH,MonitoringJob Hata Bildirimi ArventoGPSTransferJob PEPSICOSELL TURKEY,GO TO MARKET APPLICATION SUPPORT (PROFE) TURKEY,HIGH,MonitoringJob Hata Bildirimi DCStockBalanceTransferJob PEPSICOSELL TURKEY,GO TO MARKET APPLICATION SUPPORT (PROFE) TURKEY,HIGH,MonitoringJob Hata Bildirimi SegmentActivePasiveJob ]
Dec 12 11:21:30:927 [7760] logmon: (scan) - all watchers have completed
Dec 12 11:21:30:927 [7760] logmon: ciOpen - cache path: C:\Program Files (x86)\Nimsoft\niscache
Dec 12 11:21:30:927 [7760] logmon: [weblog] weblog.http://host.domain.com/LogsForServiceNow/03122019.txt: URL Alarm, severity=0, sid=1.1, msg='weblog: Successfully loaded http://uat.pepsicosell.com/LogsForServiceNow/03122019.txt'

Versus below where each line has a seperate entry:

Dec 12 10:36:01:715 [4968] logmon: (detectFileEncoding)Encoding of the file is '0'
Dec 12 10:36:01:715 [4968] logmon: (detectFileEncoding)Encoding of the file is 'ISO-8859-1'
Dec 12 10:36:01:715 [4968] logmon: lgm: Read File
Dec 12 10:36:01:715 [4968] logmon: lgm: read the line: [PEPSICOSELL TURKEY,GO TO MARKET APPLICATION SUPPORT (PROFE) TURKEY,HIGH,MonitoringJob Hata Bildirimi DCStockBalanceTransferJob]
Dec 12 10:36:01:715 [4968] logmon: lgm: check format start..[0]
Dec 12 10:36:01:715 [4968] logmon: lgm: format start
Dec 12 10:36:01:715 [4968] logmon: lgm: FORMAT END START
Dec 12 10:36:01:715 [4968] logmon: (scan) Pepsico_Turkey offset 0
Dec 12 10:36:01:716 [4968] logmon: [weblog_local] In WithI18n section [PEPSICOSELL TURKEY,GO TO MARKET APPLICATION SUPPORT (PROFE) TURKEY,HIGH,MonitoringJob Hata Bildirimi DCStockBalanceTransferJob],[ERCP—],[ISO-8859-1],[5]
Dec 12 10:36:01:716 [4968] logmon: [weblog_local] MATCH [Pepsico_Turkey] on line 0
Dec 12 10:36:01:716 [4968] logmon: weblog_local.Pepsico_Turkey: Published Message, subject='weblog'
Dec 12 10:36:01:716 [4968] logmon: SREQUEST: post ->10.74.121.92/48001
Dec 12 10:36:01:716 [4968] logmon: RREPLY: status=OK(0) <-10.74.121.92/48001 h=37 d=28
Dec 12 10:36:01:716 [4968] logmon: [weblog_local] weblog_local.Pepsico_Turkey: Alarm Message, severity=2, sid=1.1, msg='LOCAL- Application_monitoring:Test Message MonitoringJob Hata Bildirimi DCStockBalanceTransferJob ||SERVER MONITORING' suppKey = y+000000000#MonitoringJob Hata Bildirimi DCStockBalanceTransferJob
Dec 12 10:36:01:716 [4968] logmon: ciOpen - cache path: C:\Program Files (x86)\Nimsoft\niscache
Dec 12 10:36:01:717 [4968] logmon: RREPLY: status=OK(0) <-10.74.121.92/48001 h=37 d=28
Dec 12 10:36:01:717 [4968] logmon: ciClose - [CECC977155805FC51AA8E7199D3FD3422]
Dec 12 10:36:01:717 [4968] logmon: lgm: Read File
Dec 12 10:36:01:717 [4968] logmon: lgm: read the line: [PEPSICOSELL TURKEY,GO TO MARKET APPLICATION SUPPORT (PROFE) TURKEY,HIGH,MonitoringJob Hata Bildirimi CustomerProductCodeJob]
Dec 12 10:36:01:717 [4968] logmon: lgm: check format start..[0]
Dec 12 10:36:01:717 [4968] logmon: lgm: format start
Dec 12 10:36:01:717 [4968] logmon: lgm: FORMAT END START
Dec 12 10:36:01:717 [4968] logmon: (scan) Pepsico_Turkey offset 0
Dec 12 10:36:01:717 [4968] logmon: [weblog_local] In WithI18n section [PEPSICOSELL TURKEY,GO TO MARKET APPLICATION SUPPORT (PROFE) TURKEY,HIGH,MonitoringJob Hata Bildirimi CustomerProductCodeJob],[ERCP—],[ISO-8859-1],[5]

If you could create multiple watchers to look for different lines or sections then each watcher could send an alarm.

But from your one watch rule, you will get one line match.