How to check the new entries of a file that might contain a specific error

Question

How to check the new entries of a file that might contain a specific error

Nik Alex 21

I have a log file and I am trying not to capture the same error in the log when the below script runs. The script is running every 5 minutes through task scheduler. (so, if there are new entries with the specific error an email should be sent, if not then nothing to do - it shouldn't read the whole log) The goal is to store the last time the log was checked with a time stamp. If there is no new entry (of the same error) when the script runs then there is nothing to do. (shouldn't send an Email) Else it should send an Email.

The log looks like:
2021-01-05 15:44:45
CODE : 00002
LEVEL : 4
NAME : com.apps.common.util.ApplicationException
ERROR # : UTUD3SIQY3Z0
TOKEN ID : 2574333
USER : System
MESSAGE : The requested operation could not be completed.
at com..apps.common.util.LoggingHelper.logError(LoggingHelper.java:128)
at com..apps.common.util.ErrorHandler.log(ErrorHandler.java:644)
at com..apps.common.util.ErrorHandler.handleError(ErrorHandler.java:131)

What I have tried so far but without success is this:

$File = 'D:......\logs\Nikos_text2.txt'
$content = Get-Content $File
While($true){
$date = (Get-Date).AddMinutes(-5)
$Writetime = Get-Item $File | select lastwritetime | get-date
If ($Writetime -le $date -and $content -like 'Trigger action error'){
$smtp = new-object Net.Mail.SmtpClient("server name")
$objMailMessage = New-Object System.Net.Mail.MailMessage
$objMailMessage.From = "support@keyman .com"
$objMailMessage.To.Add("support@keyman .com")
$objMailMessage.To.Add("support@keyman .com")
$objMailMessage.Subject = "Error message: 'Trigger action error'"
$objMailMessage.Body = "In log in server (SI) I traced the following error message: Trigger action error. Pls check it asap"
$smtp.send($objMailMessage)

}
Start-Sleep -Seconds 300
}

From my understanding either I should capture every time the script runs the last line of the log that previously run or put a timestamp and the next time it will run, then to check for errors after the last timestamp. But due to the fact that I am brand new to Powershell, I don't have a clue how to achieve it.
Any help would be much appreciated.

Thank you in advance

I now made some changes to my code:

$time = '{0:yyyy-MM-dd HH:mm:ss}' -f (Get-Date '2021-02-02 12:40:48').AddMinutes(-5)
$File = 'D:......\logs...log'
$search = 'Application Error*'
$query = (Get-Content $File) | Where-Object {$-match $search} | Select-Object -Last 1
if ($query -match "Application Error*" -and ($ -split ',')[0] -gt $time) {
$smtp = new-object Net.Mail.SmtpClient("server")
$objMailMessage = New-Object System.Net.Mail.MailMessage
$objMailMessage.From = "support@keyman .com"
#$objMailMessage.To.Add("support@keyman .com")
$objMailMessage.To.Add("support@keyman .com")
$objMailMessage.Subject = "Error message: 'Application error'"
$objMailMessage.Body = "In log in server I traced the following error message: Application error"
$smtp.send($objMailMessage)
}

but still I am not able to receive an Email notification.

Accepted answer

4 additional answers

Your answer

Answer 1

Rich Matheisen 47,901

See if something like this works for you:

$fn = "C:\junk\1.txt"
$cycletime = 5  # in minutes
$lastcheck = (get-date).AddMinutes(-$cycletime)   # initialize the time
While ($true){
    $writetime = Get-ItemProperty  $fn | Select-Object LastWriteTime | Get-Date
    if ($writetime -ge $lastcheck){     # no need to check the log if it hasn't been written to
        # get all possible matches and select only the last (most recent) one
        $all = Select-String -Path $fn -Pattern "^NAME\s:\s.+\.ApplicationException$" -Context 3,4 | 
            Select-Object -Last 1
        # get the date from the error
        $lastspecificerrortime = Get-Date $all.Context.PreContext[0]
        # if the error happened since the last check, report it
        if ($lastspecificerrortime -gt $lastcheck){
            # send your e-mail here
        }
    }
    $lastcheck = Get-Date
    Start-Sleep -Seconds ($cycletime * 60)
}

I didn't check to see if there were no errors selected, so you probably should do that!

Nik Alex 21 Reputation points

2021-02-03T10:37:50.17+00:00

@Rich Matheisen thank you very much for your answer! I have some questions though in order to be able to understand your code.
Could you pls let me know what does this part of coding?
"^NAME\s:\s.+.ApplicationException$" -Context 3,4 "
b) the script runs more than 5 minutes which of course I don't want, due to the fact that the task scheduler will activate it and run it every 5 minutes. I disabled the part " Start-Sleep -Seconds ($cycletime * 60) " but the script still runs at least 30 minutes. Any ideas why?
c) I added this: " if ($lastspecificerrortime -gt $lastcheck -and (Get-Content $fn - contains 'Application Error*')){ " but I can't capture my error. Could you pls give me a hint? (I have added my server name - email address e.t.c)
Rich Matheisen 47,901 Reputation points

2021-02-03T15:55:01.197+00:00

Incomplete explanations yield incomplete designs. :-)

I just used the example of the error you posted. In your explanation you mention "Trigger action error" and "Application error" but never stated what to look for in the text . . . so I picked the line "NAME : com.apps.common.util.ApplicationException". The regular expression just looks for a line that begins with "NAME : " and ends with ".ApplicationError".

You also said that the Task Scheduler runs the script every five minutes, but the code example you posted included a "Start-Sleep".

The code I suggested never stops running, and because of that it simply stores the last time it ran in a local variable. If the script is to terminate then you'll have to store the last time it ran in a file (or the registry).

Nowhere in your example of the log file contents is "Application Error" to be found!
Nik Alex 21 Reputation points

2021-02-03T16:15:39.843+00:00

@Rich Matheisen again thank you very much for your explanation, time and effort. I really appreciate it!
I am really new to coding and especially to Powershell so pls bare with me.
It is my mistake, that I didn't explain what I am trying to figure out.
I have a log file that needs to be tested every 5 minutes for this specific error: "Content is not allowed in prolog"
I For the script that never stops, I got you and it is much better how you have designed it, thank you. Makes more sense to have it this way.
Now, for the specific error, can I use what you have suggested?
"^ERROR\s:\s.+.prolog$" and remove the bold statement that I have added?
if ($lastspecificerrortime -gt $lastcheck ****-and (Get-Content $fn - contains 'Application Error')****)
Rich Matheisen 47,901 Reputation points

2021-02-03T20:12:38.927+00:00

Now that you're looking only for a single line in the log file and not trying to extract the entire error message that simplifies this quite a lot!

If you're checking the log file every five minutes, how many ew lines would you normally expect to have written to the log file in that time period? 100? 1,000? 5,000? More??? The reason I ask is that if you have some idea it's possible to get only the last "X" lines from the log file. If, for example, the log file contains 20GB of data and each line is (say) 200 characters, instead of reading 100,000,000 lines unnecessarily to find one line that's only 100 lines from the end of the file will save you a considerable amount of time by looking through the last 5,000 (or less)!
Nik Alex 21 Reputation points

2021-02-03T20:39:05.767+00:00

@Rich Matheisen thank you for your reply. It wont be more than 100 lines.
Chris 656 Reputation points

2021-02-07T10:30:17.97+00:00
Rich,
a little question. I am new with Powershell. Can you tell me why

$all = Select-String -Path $fn -Pattern "^NAME\s:\s.+\.ApplicationException$" -Context 3,4 | Select-Object -Last 1

didn't work with select-string? Because it not a object?
Rich Matheisen 47,901 Reputation points

2021-02-07T15:18:33.163+00:00

Well, it did work . . . if you use the log data that was in the original question (just below line "The log looks like:". However, the actual log data look nothing like that.

Answer 2

Give this a try:

$fn = "C:\junk\1.txt"
$cycletime = 5  # in minutes
$linestocheck = 500             # only check the last X number of lines in $fn
$startcheck = 0
$lastcheck = (Get-Date).AddMinutes(-$cycletime)   # initialize the time
$regex = "\<Error\>\<(.+?\s.+?)\>\s.+Content is not allowed in prolog\.$"  # store the regex
While ($true) {
    $startcheck = Get-Date                          
    $writetime = Get-ItemProperty  $fn | Select-Object LastWriteTime | Get-Date
    if ($writetime -ge $lastcheck) {
        # no need to check the log if it hasn't been written to
        $latestmatch = (Get-Date).AddMinutes(-15)               # give (more than) enough overlap when looking for errors 
                                                                # maybe change to AddMinutes(-(3*$cycletime))???
        Get-Content -Path $fn -Tail $linestocheck |
            ForEach-Object {
                if ($_ -match $regex) {
                    $errordate = [datetime]$Matches[1]
                    if ($errordate -gt $latestmatch) {
                        $latestmatch = $errordate
                    }
                }
            }
        # if the most recent error happened since the last check, report it
        if ($latestmatch -gt $lastcheck) {
            # send your e-mail here
        }
        $lastcheck = $startcheck                    # remember when check was STARTED, not when it finished!!!
                                                    # who knows how long it takes to look for the errors???
        Start-Sleep -Seconds ($cycletime * 60)
    }
}

Answer 3

Nik Alex 21

@Rich Matheisen thank you for your code. I tested it and it doesn't seem to catch the errors in the log that I have or to say it better, it doesn't send me an Email. I have tested our exchage and it is working fine. The error that I am trying to catch is the one that I have previously attached and added in your regex.
Any ideas why?

Thank you in advance for your time and effort!

Answer 4

Rich Matheisen 47,901

Does running this return "True"?

$x = "<ERROR><13-Ju1-2020 05:23.21.270> Exception processing TriggerConfigFiles folder :org.xm1.sax.SAXSParseException: Content is not allowed in prolog."
$regex = "\<Error\>\<(.+?\s.+?)\>\s.+Content is not allowed in prolog\.$"
$x -match $regex

The only data I have is what you show me, and a picture of your data doesn't tell me if there are (say) trailing spaces, tabs, etc.

You can try changing the regex to take into account any trailing whitespace:

$regex = "\<Error\>\<(.+?\s.+?)\>\s.+Content is not allowed in prolog\.\s*$"

If it still doesn't work, upload a small TXT file that has some of the errors in it, along with some of the surrounding lines.

Nik Alex 21 Reputation points

2021-02-05T16:22:34.033+00:00

@Rich Matheisen thank you for your reply. I am attaching part of the log. The first regex that you sent today, indeed returned TRUE. I also tried with the 2nd regex and also didn't receive any Email.

Again thank you for your time and effort
Rich Matheisen 47,901 Reputation points

2021-02-05T20:05:42.69+00:00
Well, this is embarrassing . . . correct line #24. I misspelled "$latestmatch"! Geeze.

It should be:

if ($latestmatch -gt $lastcheck) {
Nik Alex 21 Reputation points

2021-02-05T21:44:55.243+00:00

@Rich Matheisen my God, six eyes (I am wearing glasses) and we missed it...Thank you! I corrected it, but still am not able to receive an Email.
Now, I think that the problem is in the amount of lines that the pattern is searching for. It is not 1000, my mistake. The log file is getting bigger and bigger so now I found this error "Content is not allowed in prolog" in line 1532795. I changed the 1000 to 1540000, but still didn't get any Email. Maybe it is impossible to read so many lines or it takes too much time?
Pls see the attached screenshot of the line with the error.

Thank you in advance!
Rich Matheisen 47,901 Reputation points

2021-02-05T22:29:18.4+00:00
Once the script starts running there's no limit on how long it takes to acquire the data.

Whether the amount of data is "too much", you can easily test that!

$fn = "c:\junk\log2/txt" $linestocheck = 1000 Measure-Command{ Get-Content -Path $fn -Tail $linestocheck | Out-Null }

I think it's time for you to post your code! Your problem may lie in the composition and sending of the mail. Out of curiosity, have you done something as simple as to place a "Write-Host 'Sending e-mail'" right below line #26 in my code? If you get there then you've found something to act on. However, note that the error happened at 2:30 in the morning. The script will only report errors that happened within 15 minutes of the time you run the script! The assumption is that the script completes within a reasonable amount of time (e.g. ~5 minutes).

Answer 5

Nik Alex 21

@Rich Matheisen thank you very much for your time and effort! It is working! We had some issues with our Exchange, and now that they are solved, I made some tests and I got the Email notification!
Thank you again!

Share via

How to check the new entries of a file that might contain a specific error

4 additional answers

Your answer