Configure a Threshold to Prevent Blasting
Your log file may get many instances of an event, one after the other over a short period of time. If you don’t configure swatch to handle this as a single event you will get blasted with repeating messages. Besides annoying you with repeated messages, your server could get blocked for it on the monitor.chat firewall. A host should send no more than one message every 120 seconds.
To prevent blasting, you can configure swatch to treat multiple instances of the same message as just one event by adding a threshold. Here is what that looks like in your /tmp/swatch.conf file:
watchfor /trouble/ exec /usr/local/bin/monitor.chat.sh "<ASTONISHED> Test log reports the following: $_" 1>/dev/null 2>&1 # report the 1st occurrance in a period of 120 seconds threshold track_by=$1,type=limit,count=1,seconds=120
The parameter “track_by” is something unique about the text of the watchfor regular expression. In this case, $1 is simply the word “trouble”.
Configure a threshold for greater precision
We need to understand the differences among the three supported configurations of a threshold:
- limit - perform action up to the “count” number of times over the indicated period of time
- threshold - perform the action every “count” number of times
- both - perform the action on the “count” time, and only that occurance, over the indicated period of time
Here are some examples of these:
# Send a message on the first 4 occurances of the text in the log file # over a period of 120 seconds. threshold track_by=$1,type=limit,count=4,seconds=120 # Send a message every 5th occurance, ignoring the 120 seconds. threshold track_by=$1,type=threshold,count=5,seconds=120 # Send a message only on the 7th occurance of the message, # then abstain until 120 seconds has passed since the 1st message. # This permits you to ignore the first few occurances. threshold track_by=$1,type=both,count=7,seconds=120