Current view: XPLG V7 (Latest). Available: XPLG V6 and XPLG V5

Skip to end of metadata
Go to start of metadata

XpoLog comes with a built-in monitoring engine that enables you to monitor logs data and get alerts when defined criteria is met.

The monitors console is available at XpoLog Manager left navigation panel Monitors and Tasks > Monitors. The monitors console presents all defined monitors, their last execution time, their defined alerts, search queries, and their last status (failure = matching events were detected in the last execution and alerts were sent, success = matching events were not found in the last execution and alerts were not sent).

Using the console you can define monitors and groups of monitors, export/import monitors between environments, suspend/resume monitor's execution, delete and edit.

Alert Types
The monitors can be automated, and send alerts in various forms:

  • Email - sends an email alerts to a list of users (make sure you have configured the required mail settings in XpoLog). 
    Note - The e-mail list should be formatted correctly in e-mail format, not Outlook format, since this format is not supported.
    • Email Alert Advanced options
      • Data Attachment it is possible to add to the email alert the following:
        • Append event to end of email bodyadd to the email body the latest log event that triggered the alert in the current execution 
        • Attach a dashboardattach to the email one of the existing Dashboards
        • Attach matched events as: attach to the email all the records which triggered the alert in the current execution as a files from one of the available types CSV / Tab Delimited / XML
          • Check to zip the attached file: in case 'Attach matched events as' is checked - determine whether the attachment will be zipped or not.
      • From Email Address it is possible to customize the 'From' email address (by default the system email address will be used).

      Note: XpoLog sends email alerts in HTML format, therefore use the HTML <br> element produces a line break in text in the email body.
  • SNMP Traps - sends a SNMP trap (make sure you have configured the required SNMP account in XpoLog).
  • JMS Messages - sends a JMS message (make sure you have configured the required JMS account in XpoLog).
  • Batch Alert (Custom Scripting) - open mechanism which executes any script as part of the monitor's failure.
    • Custom Scripting Details: it is possible to export all the records which triggered the alert in the current execution to a file (Program/Script path=CMD echo "export").
    • Custom Scripting Alert Advanced options:
      • Export Data - exports all the records which triggered the alert in the current execution to a file (it is also possible to export only selected fields under the Custom type) from one of the available types.
        You can add a placeholder [TIMESTAMP] to the given name of the file in order to create a new file per execution that triggers the alert.
  • REST API Call it is possible to open a URL (POST/GET/PUT/DELETE) call and send information which was detected in the monitor execution.
  • Slack - publishes a message to Slack channel(s) - make sure you have configured the required Slack settings in XpoLog.
  • Microsoft Teams - publishes a message to MS Teams channel(s) - make sure you have configured the required MS Teams settings in XpoLog.
  • PagerDuty - Opens an incident in a PagerDuty's service(s) - make sure you have configured the required PagerDuty settings in XpoLog.
      • PagerDuty alert can be customized further. In order to send specific details to PagerDuty in the alert section, under Advanced section - Custom Fields you may enter a JSON with desired values. Example:

{

"alertDefinition" : {

"payload": {

"severity": "info",
"summary" : "[MONITOR_NAME]",
"custom_details": {
"timestamp": "[Date]",
"source-log": "[LOG_NAME]",
"source-node": "[HOST_NAME]",
"component": "log",
"domain": "[APPTAGS]",
"message": "[Message]",
"query": "[SEARCH_QUERY]"
}

},
"links": [

{

"text": "XPLG Zoom-In Link"

}

]

},
"conf" : {}

}

Runtime Placeholders

XpoLog can add additional information to the alerts from the logs and monitors which are executed during runtime. The monitor, upon triggering, will replace the below placeholders with their actual value taken from the execution - such as log name, monitor name, log column content, etc.
It is also possible to add selected log fields or the complete log event to the monitor alerts by placing the following placeholders in any one of the above listed alerts (all placeholders are case sensitive)

 

Metadata:

  • [SEARCH_QUERY] = by default, the search query used in the search monitor is presented in the alert's subject. Occasionally, the search query may be long so it is possible to include this placeholder in the email body which will be replaced upon execution with the query
  • [END_OF_SUBJECT] = may be used at the end of the email subject in case there is a need to exclude the search query from the email subject (relevant only for email alert)
  • [MONITOR_ID] = the unique id of the monitor
  • [MONITOR_NAME] = the name of the monitor
  • [MONITOR_STATUS] = the monitor status : 1 = failure , 0 = success
  • [LOG_NAME] = the log name that the included event is originated from (relevant to simple query only)
  • [LOG_ID] = the log name that the included event is originated from (relevant to simple query only)
  • [HOST_NAME] = the host name that the included event is originated from (relevant to simple query only)
  • [APPTAGS] = the application(s) name(s) that the monitor is associated with
  • [APPS_NAME] = the application(s) name(s) that the event is originated form (relevant to simple query only)

  • [FOLDER_NAME] = the parent folder name that the included event is originated from (relevant to simple query only)

Data from the events:

  • [COLUMN_NAME] = the name of the column which its content will be included (for example if you have a Severity column in the log event, the placeholder [Severity] will be replaced with the contents of this field.
  • [LOG_ALL_RECORD_COLUMNS_RAW] = the complete log event that will included
  • [ALL_TABLE_CSV] = may be used in complex query result to display the entire result table in CSV format. This placeholder is not required in email alert as the result table is displayed by default.
    It is very important when publishing alerts to Slack, MS Teams and Pagerduty in order to see on the target the contents of the result.

 

  • No labels