XpoLog search monitor runs automatically by the system at scheduled intervals and execute a search query as its monitoring rule. The search monitor can be defined directly from the search console as well.
The following is a step by step flow to add a search monitor with alerts:
1. From The Monitors console (Manager > Log Actions > Monitors) - select Add Search Monitor.
2. Name the Monitor, and add the search query (simple or complex) you wish the monitor to execute.
3. Alerts - Add new Alert. If this is the first time XpoLog is configured to send alerts then you will be asked to enter details that XpoLog can use to send the requested alert. Create the alert and save it.
4. Schedule - configure the frequency that you wish for this monitor - based on the configured frequency the monitor will scan the log.
5. Save it. It will run automatically based on the frequency you configured and it is also possible to execute a monitor manually if needed by selecting the monitor and click the execute button.
Note:
- On each execution, the monitor scans only new records and not the entire log.
- It is also possible to configure the alerts to include the entire result or selected information from the matched log events:
- Under the Advanced Section of the email alert you can attach data:
Append event to end of email body - matched log events will be included in the email body.
Attach matched events as a compressed Tab Delimited / CSV / XML file. - It is possible to add selected log fields to monitor alerts by placing the following place holders:
[COLUMN_NAME] = the name of the column which its content will be included
[MONITOR_ID] = the unique id of the monitor
[MONITOR_NAME] = the name of the monitor
[MONITOR_STATUS] = the monitor status : 1 = failure , 0 = success
[LOG_NAME] = the log name that the included event is originated from
[LOG_ID] = the log name that the included event is originated from
[HOST_NAME] = the host name that the included event is originated from
[APPS_ID] = the application(s) name(s) that the included event is originated from
[FOLDER_NAME] = the parent folder name that the included event is originated from
- Under the Advanced Section of the email alert you can attach data:
Advanced section:
- Scan log from last scan point - determines whether the monitor will scan only new records in the log on each execution or the entire log either way. By default this option is selected.
- Failure - determines the fail criteria of a monitor. By default if a single record was found matched to the configured rule, it will be considered as a failure and the alerts will be triggered.
- Once failed, execute failure actions only after - after a failure, alerts will be sent again only after a specified number of additional failure without a success between.
- Once failed, execute failure actions for - by default the monitor executes the alerts on the latest record that was matched per each execution. This is the recommended option - the last event only. None of the events - no alerts will be sent, the first event only - a single alert on the first record that was matched per each execution, each event - the alerts will be triggered on each log record that was matched per each execution (not recommended since the number of records that may be found matched is not limited and the alert will be sent per each one).
In case each event is selected, it is recommended to limit the total number of alerts that may be sent per each execution (Maximum number of alerts to send). - Positive Alerts - execute a positive alert as an indication that a specified time has passed since last failure.