Swatch can be configured not blast you with duplicate messages.

Configure a Threshold to Prevent Blasting

Your log file may get many instances of an event, one after the other over a short period of time. If you don’t configure swatch to handle this as a single event you will get blasted with repeating messages. Besides annoying you with repeated messages, your server could get blocked for it on the firewall. A host should send no more than one message every 120 seconds.

To prevent blasting, you can configure swatch to treat multiple instances of the same message as just one event by adding a threshold. Here is what that looks like in your /tmp/swatch.conf file:

watchfor /trouble/
exec /usr/local/bin/ "<ASTONISHED> Test log reports the following: $_" 1>/dev/null 2>&1
# report the 1st occurrance in a period of 120 seconds
threshold track_by=$1,type=limit,count=1,seconds=120

The parameter “track_by” is something unique about the text of the watchfor regular expression. In this case, $1 is simply the word “trouble”.

Configure a threshold for greater precision

We need to understand the differences among the three supported configurations of a threshold:

  • limit - perform action up to the “count” number of times over the indicated period of time
  • threshold - perform the action every “count” number of times
  • both - perform the action on the “count” time, and only that occurance, over the indicated period of time

Here are some examples of these:

# Send a message on the first 4 occurances of the text in the log file
# over a period of 120 seconds.
threshold track_by=$1,type=limit,count=4,seconds=120

# Send a message every 5th occurance, ignoring the 120 seconds.
threshold track_by=$1,type=threshold,count=5,seconds=120

# Send a message only on the 7th occurance of the message, 
# then abstain until 120 seconds has passed since the 1st message.
# This permits you to ignore the first few occurances.
threshold track_by=$1,type=both,count=7,seconds=120
Last modified November 10, 2020