In logmon, it is possible to define a "block" to monitor as opposed to line-by-line.

How does this impact the way logmon matches the lines against the watchers?  

For example, what happens if a watcher is matched more than one time in a single block? 

Can we match across multiple lines, for example - match if a keyword appears on the second line, but only if it does not also appear on the third line?

DX UIM - Any Version
logmon probe - Any Version

When evaluating a block of text, logmon follows a process consisting of the following steps:

1. read each line in the file and evaluate for the "begin" expression
2. When this is encountered, consider the line that contains it to be the first line of the block
3. read lines one-by-one and pass them to the watchers one at a time until the "end" expression is reached
4. If any match was detected for any watcher, send one alert per matched watcher  (not per match!)

Therefore it is not possible to match across multiple lines - the lines in a block are evaluated independently against each watcher, and the alert is sent if any line in the block matches a watcher expression.