April 07, 2008

Detecting multiple Siebel log file events

A customer query involved the following question:

" If your log monitoring routine generates 1 event, and another log monitoring routine generates another event, you could use a VA2 analysis rule to provide the IF capability?"

The basic functionality that was needed was to monitor for multiple events in Siebel log files, that cover multiple lines. The standard VA2 log file monitoring capabilities cover regular expressions, but only a single line at a time.

And was nicely illustrated by this .PPT. The answer, of how to make a VA2 rule that detects seperate Siebel events in the log file is posted below.

1. Use standard VA2 capabilities to generate events. The error definitions from the power point
generate events, as seen in this documentation.

2. The challenge is to recognize that both of these events took place, instead of just one. If you were looking for just one event, you could just use a regular Event log analysis capaiblity. But in this case we will have two Event Log seraches, each generating a sperate event. We will then use standard VA2 functionality of an Analysis Rule to examine the Event table to determine if two seperate events were generated instead of just one.

3. So the answer to Step 3 from the .ppt is to createan Analysis Rule that examines the Events Table of VA2 and uses and If condition to determine if more than one event is there before raising a new kind of event.

Here is a simple example of an VA2 Statistic that examines the VA2 event table

use sqlanalyze;
my $sql = "select count(*) from errorevent";
$retval = sqlanalyze->sqlcount($sql, $datasession);

This rule counts the total number of events.

4. Another thing the rule will do is mark the Events processed every time it checks. So 2 seperate events have to come in together, then this rule will be true. If only one event is in the table it does not qualify. So the Processed Flag will be set to True in this case.

The rule itself is downloadable .here.

And here is the whole code for the rule:

use sqlanalyze;
# set the variables belwo to the type of events you are looking for

my $errortype1 = 'LogErrorType1'; #match one type of event
my $errortype2 = 'LogErrorType2'; #the second type of event must be there too.

my $e1sql = "select count(*) from errorevent where type = '$errortype1' and processed not like 'Y'";
my $ecount1 = sqlanalyze->sqlcount($e1sql , $datasession);

my $e2sql = "select count(*) from errorevent where type = '$errortype2' and processed not like 'Y'";
my $ecount2 = sqlanalyze->sqlcount($e2sql , $datasession);

if ($ecount1 and $ecount2) {
$retval = 0; #generate an event
} else {
$retval = 1;

#cleanup , set events to processed
my $updatesql = "update errorevent set processed = 'Y' where type = '$errortype1' or type = '$errortype2' ";
sqlanalyze->returnsinglevalue($updatesql , $datasession);

Posted by choppen5 at 02:55 PM