Monitors Administration

Owned by Haim Koschitzky
Last updated: Feb 14, 2024 by Omry Koschitzky
3 min read

XpoLog comes with a built-in monitoring engine that enables you to monitor logs data and get alerts when defined criteria is met.

The monitors console is available at XpoLog Manager left navigation panel Monitors and Tasks > Monitors.

The monitors console presents all defined monitors, their last execution time, their defined alerts, search queries, and their last status:

  • failure = matching events were detected in the last execution and, if defined, the alerts were triggered.

  • success = matching events were not found in the last execution and alerts, if defined, were not triggered.

Using the console you can define monitors and groups of monitors, export/import monitors between environments, suspend/resume monitor's execution, delete and edit.

Alert Types

XPLG supports multiple alerts types that may be triggered as a monitor’s failure alert/positive alert.

You may find more details on the different types in this article: https://xpolog.atlassian.net/wiki/pages/resumedraft.action?draftId=1642397903

Runtime Placeholders

XpoLog can add additional information to the alerts from the logs and monitors which are executed during runtime.

The monitor, upon triggering, will replace the below placeholders with their actual value taken from the execution - such as log name, monitor name, log column content, etc.
It is also possible to add selected log fields or the complete log event to the monitor alerts by placing the following placeholders in any one of the above listed alerts (all placeholders are case sensitive)

Metadata:

  • [SEARCH_QUERY] = by default, the search query used in the search monitor is presented in the alert's subject. Occasionally, the search query may be long so it is possible to include this placeholder in the email body which will be replaced upon execution with the query

  • [END_OF_SUBJECT] = may be used at the end of the email subject in case there is a need to exclude the search query from the email subject (relevant only for email alert)

  • [MONITOR_ID] = the unique id of the monitor

  • [MONITOR_NAME] = the name of the monitor

  • [MONITOR_STATUS] = the monitor status : 1 = failure , 0 = success

  • [LOG_NAME] = the log name that the included event is originated from (relevant to simple query only)

  • [LOG_ID] = the log name that the included event is originated from (relevant to simple query only)

  • [HOST_NAME] = the host name that the included event is originated from (relevant to simple query only)

  • [APPTAGS] = the application(s) name(s) that the monitor is associated with

  • [APPS_NAME] = the application(s) name(s) that the event is originated form (relevant to simple query only)

  • [FOLDER_NAME] = the parent folder name that the included event is originated from (relevant to simple query only)

  • [SEARCH_LINK] = a direct link to XPLG Search generated in runtime (to view the monitor's results in the search console) 

  • [MONITOR_EVENTS_COUNT] = the total number of log events in the result

  • [LOG_TIME_timestamp] - UNIX format timestamp of the event

Data from the events:

  • [COLUMN_NAME] = the name of the column which its content will be included (for example if you have a Severity column in the log event, the placeholder [Severity] will be replaced with the contents of this field.
    Note: this is case sensitive and the used name must be exactly as displayed in the result.

  • [LOG_ALL_RECORD_COLUMNS_RAW] = the complete log event that will included.

  • [ALL_TABLE_CSV] = may be used in complex query result to display the entire result table in CSV format. This placeholder is not required in email alert as the result table is displayed by default.
    It is very important when publishing alerts to Slack, MS Teams and Pagerduty in order to see on the target the contents of the result.