Solved: Using Windows agent to send log files

mw_dg · ‎04-01-2014

Hi there,

I really need to figure out the sending of log files using the Windows agent. I have seeen your doc on it and it is sort of easy. Then the event_marker is complicated. The example shows a bunch of control characters and curly brackets. I need to understand the event_marker parameters. What in a text file would suggest what needs to be in event_marker?

Thanks in advance,

Michael

sflanders · ‎04-09-2014

Hey Michael - not sure how I missed this one! The event_marker is a regex that is known to match the beginning of a new log message. For example, say I have the following logs:

2014-03-27 10:29:38,534 [pool-35-thread-1] DEBUG opId= com.vmware.sps.qs.notify.VasaProviderInfoNotifier - poll changes for VASA provider

2014-03-27 10:29:38,540 [pool-35-thread-1] DEBUG opId= com.vmware.vim.query.client.impl.QueryDispatcherImpl - Dispatching query:

declare default element namespace "urn:vasa";

declare namespace qs="urn:vmware:queryservice";

declare namespace vim25="urn:vim25";

declare namespace xlink="http://www.w3.org/1999/xlink";

declare namespace vasaData="http://data.vasa.vim.vmware.com/xsd";

declare namespace vasa="http://com.vmware.vim.vasa/1.5/xsd";

for $doc in //VendorProviderInfo

return

<item>

{data($doc/vasa:return/vasaData:uid)}

</item>

2014-03-27 10:29:38,543 [pool-35-thread-1] DEBUG opId= com.vmware.vim.query.client.impl.QueryDispatcherImpl - (QueryResponseMonitor) Registered stream: 27227

You can see how the second message is a multi-line message. If you do not specify an event_marker then the multi-line message will be broken up into individual events. However, if you specify an event_marker with a regex that matches the beginning of an event then it will not break the message up. For the above message type, I could use an event_marker like:

event_marker=^\d{4}-\d{2}-\d{2} \d{2}:\d{2}:\d{2},\d{3}

Which would match: 2014-03-27 10:29:38,534

The event_marker can be as short or as long as you want, but you should ensure that the regex you specify is guaranteed to match a new event. I hope this helps!

Hope this helps! === If you find this information useful, please award points for "correct" or "helpful". ===

View solution in original post

sflanders · ‎04-09-2014

Hey Michael - not sure how I missed this one! The event_marker is a regex that is known to match the beginning of a new log message. For example, say I have the following logs:

2014-03-27 10:29:38,534 [pool-35-thread-1] DEBUG opId= com.vmware.sps.qs.notify.VasaProviderInfoNotifier - poll changes for VASA provider

2014-03-27 10:29:38,540 [pool-35-thread-1] DEBUG opId= com.vmware.vim.query.client.impl.QueryDispatcherImpl - Dispatching query:

declare default element namespace "urn:vasa";

declare namespace qs="urn:vmware:queryservice";

declare namespace vim25="urn:vim25";

declare namespace xlink="http://www.w3.org/1999/xlink";

declare namespace vasaData="http://data.vasa.vim.vmware.com/xsd";

declare namespace vasa="http://com.vmware.vim.vasa/1.5/xsd";

for $doc in //VendorProviderInfo

return

<item>

{data($doc/vasa:return/vasaData:uid)}

</item>

2014-03-27 10:29:38,543 [pool-35-thread-1] DEBUG opId= com.vmware.vim.query.client.impl.QueryDispatcherImpl - (QueryResponseMonitor) Registered stream: 27227

You can see how the second message is a multi-line message. If you do not specify an event_marker then the multi-line message will be broken up into individual events. However, if you specify an event_marker with a regex that matches the beginning of an event then it will not break the message up. For the above message type, I could use an event_marker like:

event_marker=^\d{4}-\d{2}-\d{2} \d{2}:\d{2}:\d{2},\d{3}

Which would match: 2014-03-27 10:29:38,534

The event_marker can be as short or as long as you want, but you should ensure that the regex you specify is guaranteed to match a new event. I hope this helps!

Hope this helps! === If you find this information useful, please award points for "correct" or "helpful". ===

mw_dg · ‎04-09-2014

Thanks Steve. I will have to try this out. It is a little confusing. But I believe I understand now.

I will let you know.

Michael

admin · ‎04-21-2014

Hi Michael,

I'm curious as to whether you've had luck using the event marker? Do you have any feedback for us?

Thanks!

Leila.

mw_dg · ‎04-22-2014

I have been pretty busy. I need to set a bunch of time aside for this as I don't think it is something I can do in just a few minutes. I must admit this is the single biggest glaring shortcoming in this version I have seen. I know it is a powerful thing and solves a problem but it is not very user friendly.

I will try and work with it in the next little while. Sorry for the delay.

Michael

sflanders · ‎06-17-2014

Hey Michael,

Just wanted to follow up and see if you were able to test this out. I understand you are very busy

Hope this helps! === If you find this information useful, please award points for "correct" or "helpful". ===

mw_dg · ‎06-17-2014

Hi Steve,

Sorry, but I did not. Crazy times. In fact, I forgot to upgrade my agents after my LI upgrade. It is still on my list.

Michael

sflanders · ‎02-20-2015

Hey Michael -- just following up on this. Are you all set?

Hope this helps! === If you find this information useful, please award points for "correct" or "helpful". ===

mw_dg · ‎02-20-2015

Thanks for following up on this Steve. Much appreciate it. All is good. Things are going well and I am, as you might expect, quite happy with it all.

Michael