Analyze the alerts.log

[tommy]

Just been on a unix class and is still amazed with the results a few simple unix commands can produce.

Example to extract information about inefficient queries from alerts.log

Code:

grep "Performance" alerts.log | cut -d ' ' -f 5- | cut -d'-' -f3- | cut -d';' -f1 | sort | uniq -c | grep -v 'Full File Scan' | sort -n -r

resuls in a list like this:

Code:

  20 schedule, Partial File Scan for query involving fields {pm.number,application}
  19 probsummary, Partial File Scan for query involving fields {flag,md.helpdesk, update.time}
  19 device, Partial File Scan for query involving fields {logical.name,md.asset.group, subtype, type}
  17 schedule, Partial File Scan for query involving fields {pm.number,application}
  16 device, Partial File Scan for query involving fields {logical.name,md.asset.group, subtype, type}
  15 incidents, Partial File Scan for query involving fields {incident.id,open}
  13 probsummary, Partial File Scan for query involving fields {flag,md.helpdesk, update.time}
  12 probsummary, Partial File Scan for query involving fields {number,flag}
  11 probsummary, Partial File Scan for query involving fields {number,flag}
   9 screlation, Partial File Scan for query involving fields {source,source.filename, depend.filename, depend.active}
   7 screlation, Partial File Scan for query involving fields {source,source.filename, depend.filename, depend.active}
   5 probsummary, Partial File Scan for query involving fields {flag,assignment}
   5 incdepends, Partial File Scan for query involving fields {dependency.class, key.char, state}
   4 probsummary, Partial File Scan for query involving fields {flag,problem.status, assignment}
   4 probsummary, Partial File Scan for query involving fields {assignment,flag, problem.status}
   4 network, Partial File Scan for query involving fields {logical.name,router.country, router.site.code}
   3 probsummary, Partial File Scan for query involving fields {priority.code, flag, md.helpdesk}
   3 probsummary, Partial File Scan for query involving fields {category,flag, md.helpdesk}
   3 probsummary, Partial File Scan for query involving fields {assignment,flag, problem.status}
   3 incdepends, Partial File Scan for query involving fields {dependency.class, key.char, state}
   2 subcategory, Partial File Scan for query involving fields {company,category, subcategory}
   2 screlation, Partial File Scan for query involving fields {depend,depend.filename, source.filename, source.active}
   2 probsummary, Partial File Scan for query involving fields {flag,ticket.owner, md.helpdesk}
   2 probsummary, Partial File Scan for query involving fields {flag,md.business.area}
   2 incidents, Partial File Scan for query involving fields {open,md.helpdesk}
   2 incidents, Partial File Scan for query involving fields {open,md.helpdesk}
   2 device, Partial File Scan for query involving fields {location,company}

If You only want the top 10 You can alter the commandline to this:

Code:

grep "Performance" alerts.log | cut -d ' ' -f 5- | cut -d'-' -f3- | cut -d';' -f1 | sort | uniq -c | grep -v 'Full File Scan' | sort -n -r | head

[sjensen]

Will you ever touch a "Bill Gates machine" again

Unix rocks the boat and my Windows 2000/XP, they are gone and replaced with Red Hat Linux 8.

/Steen

[tommy]

I have to

At work we are still stuck with windows as standard.

At home I am stuck with crappy w98 because I have a Pinnacle video grabber that only works with w98....

[Benjetdover]

Your grep command pulls back similar info, I however am lost on interputing the file. What does the first number indicate? What actions am I to take now that I have this info? I have asked Peregrine but they really do not give me any info.

Is this good or bad. 183 shows on the top what does 183 indicate? Any help would be greatful... Thanks

183 globallists, Hit Ratio not achieved on file globallists and query (build.startup=true): Of 102 records checked, 30 did not match the query
173 globallists, Hit Ratio not achieved on file globallists and query (build.startup=true): Of 102 records checked, 30 did not match the query
147 screlation, Partial File Scan for query involving fields {source, source.filename, source.active}
146 screlation, Partial File Scan for query involving fields {depend, depend.filename, depend.active}
137 schedule, Partial File Scan for query involving fields {pm.number, application}
136 schedule, Partial File Scan for query involving fields {pm.number, application}
135 inbox, Partial File Scan for query involving fields {inbox.type, operator.name, groups}
126 screlation, Partial File Scan for query involving fields {source, source.filename, source.active}
122 screlation, Partial File Scan for query involving fields {depend, depend.filename, depend.active}
114 probsummary, Partial File Scan for query involving fields {flag, assignee.name, secondary.assignee.name}
111 inbox, Partial File Scan for query involving fields {inbox.type, operator.name, groups}
110 incidents, Partial File Scan for query involving fields {incident.id, open}
105 probsummary, Partial File Scan for query involving fields {flag, assignment, secondary.assignment}
93 probsummary, Partial File Scan for query involving fields {flag, assignee.name, secondary.assignee.name}
92 datadict, Hit Ratio not achieved on file datadict and query (sc.manage.screen~="NULL"): Of 594 records checked, 592 did not match the query
77 operator, Partial File Scan for query involving fields {name, full.name}
76 probsummary, Partial File Scan for query involving fields {flag, assignment, secondary.assignment}
74 incidents, Partial File Scan for query involving fields {incident.id, open}
62 operator, Partial File Scan for query involving fields {name, full.name}
54 datadict, Hit Ratio not achieved on file datadict and query (sc.manage.screen~="NULL"): Of 594 records checked, 592 did not match the query
51 screlation, Partial File Scan for query involving fields {depend, depend.filename, source.filename, source.active}
48 probsummary, Partial File Scan for query involving fields {problem.status, assignment, secondary.assignment.grp}
43 screlation, Partial File Scan for query involving fields {source, source.filename, depend.filename, depend.active}
43 screlation, Partial File Scan for query involving fields {source, source.filename, depend.filename, depend.active}
22 incidents, Partial File Scan for query involving fields {opened.by, open.time}
14 probsummary, Partial File Scan for query involving fields {problem.status, assignment, secondary.assignment.grp}
11 probsummary, Partial File Scan for query involving fields {priority.code, open.time, problem.status}
10 wdResHierarchy, Partial File Scan for query involving fields {wdChildID, wdParentID}
9 wdResHierarchy, Partial File Scan for query involving fields {wdChildID, wdParentID}
9 screlation, Partial File Scan for query involving fields {depend, depend.filename, source.filename, source.active}
9 rootcause, Partial File Scan for query involving fields {open, assignee.name}
8 probsummary, Partial File Scan for query involving fields {assignment, open.time}
8 erddef, Partial File Scan for query involving fields {file1, cascade.deletes}
7 incidents, Partial File Scan for query involving fields {opened.by, open.time}
6 probsummary, Partial File Scan for query involving fields {priority.code, open.time}
6 probsummary, Partial File Scan for query involving fields {flag, close.time, logical.name}
5 probsummary, Partial File Scan for query involving fields {assignment, flag}
4 probsummary, Partial File Scan for query involving fields {assign.mgr, open.time}
4 outage, Partial File Scan for query involving fields {logical.name, outage.end, outage.start, outage.id}
3 contacts, Partial File Scan for query involving fields {first.name, location.code}
2 rootcause, Partial File Scan for query involving fields {status, assignment}
2 rootcause, Partial File Scan for query involving fields {open, assignee.name}
2 probsummary, Partial File Scan for query involving fields {priority.code, open.time}
2 probsummary, Partial File Scan for query involving fields {flag, assign.mgr, open.time}
2 probsummary, Partial File Scan for query involving fields {assignee.name, open.time}
2 contacts, Partial File Scan for query involving fields {location, location.code}
2 contacts, Partial File Scan for query involving fields {last.name, location.code}
1 servicecontract, Full Fil 27916 02/24/2004 07:06:41 SUMMARY-1 The following event has been reported 3 times in the last hour
1 screlatiot.service.reviews}
1 screlation, Partial File Scan for query involving fields {source, source.filename, source.active 29602 02/24/2004 07:44:54 SUMMARY-1 The following event has been reported 4 times in the last hour
1 screlation, Partial File Scan for query involving fields {source, source.filename, source.actit has been reported 15 times in the last hour
1 screlation, Partial File Scan for query involving fields {depend, depfollowing event has been reported 5 times in the last hour
1 screlation, Partial File Scan for query involving fields {depen 02/24/2004 02:07:42 Performance-2-schedule, Partial File Scan for query involving fields {pm.number, application}
1 rootcause, Partial File Scan for query involving fields {status, assign.mgr}
1 probsummary, Partial File Scan for query involving fields {priority.code, open.time, problem.status}
1 probsummary, Partial File Scan for query involving fields {opened.by, priority.code, open.time}
1 probsummary, Partial File Scan for query involving fields {opened.by, priority.code, open.time}
1 probsummary, Partial File Scan for query involving fields {opened.by, open.time}
1 probsummary, Partial File Scan for query involving fields {open.time, priority.code}
1 probsummary, Partial File Scan for query involving fields {location.code, open.time}
1 probsummary, Partial File Scan for query involving fields {location.code, open.time}
1 probsummary, Partial File Scan for query involving fields {flag, close.time, logical.name}
1 probsummary, Partial File Scan for query involving fields {category, subcategory, category3, open.time}
1 probsummary, Partial File Scan for query involving fields {category, subcategory, category3, open.time}
1 probsummary, Partial File Scan for query involving fields {assignment, open.time}
1 probsummary, Partial File Scan for query involving fields {assignment, contact.name}
1 probsumm0 did not match the query
1 operat 26242 02/24/2004 06:26:13 SUMMARY-1 The following event has been reported 2 times in the last hour
1 not achieved on file globallists and query (build.startup=true): Of 102 records checked, 30 did not match the query
1 not achieved on file globallists and query (build.startup=true): Of 102 records checked, 30 did not match the query
1 incidents, Partial File Scan for query involving fields {incident.id, op 487 02/24/2004 08:00:40 SUMMARY-1 The following event has been reported 10 times in the last hour
1 incidents, Partial File Scan for query invo 8942 02/24/2004 10:34:10 SUMMARY-1 The following event has been reported 6 times in the last hour
1 inbox, Partial File Scan for query involving fields {inbox.type, operar.incdepends.after.add), panel(select)
1 inbox, Partial File Scan for quer 27602 02/24/2004 07:01:37 SUMMARY-1 The following event has been reported 15 times in the last hour
1 inbox, Partial F 29116 02/24/2004 07:34:17 SUMMARY-1 The following event has been reported 4 times in the last hour
1 globallists,build.startup, SQL Query incomplete because field (build.startup) not mapped in file (globallists)
1 globallists,build.startup, SQL Query inc2004 12:18:14 Performance-2-incidents, Partial File Scan for query involving fields {incident.id, open}
1 globallists, Hit Ratio not achieved on file globallists and query (build.startup=true): Of 102 records checked, 3 4210 02/24/2004 09:06:38 SUMMARY-1 The following event has been reported 3 times in the last hour
1 globallists, 16740 02/24/2004 13:17:00 SUMMARY-1 The following event has been reported 13 times in the last hour
1 for query involving fields {profile.incident}
1 eventout, d, depend.filename, depend.active}
1 eventout, F 5839 02/24/2004 09:35:58 SUMMARY-1 The following event has been reported 3 times in the last hour
1 erddef, Partial File Scan for query involving fields {file1, cascade.deletes}
1 dbdict, Hit Ratio not achieved on file dbdict and query (root.record~=-1 and (file.options,shadow=false or null(file.options,shadow))): Of 502 records checked, 330 did not match the query
1 dbdict, Hit Ratio not achieved on file dbdict and query (root.record~=-1 and (file.options,shadow=false or null(file.options,shadow))): Of 108 records checked so far, 85 did not match the query
1 dbdict, Hit Ratio not achieved on file dbdict and query (root.record=-1 or file.options,shadow=true): Of 501 records checked, 172 did not match the query
1 dbdict, Hit Ratio not achieved on file dbdict and query (root.record=-1 or file.options,shadow=true): Of 101 records checked so far, 22 did not match the query
1 datadict, Hit Ratio not achieved on file datadict and query (sc.manage.screen~="NULL"): Of 594 records checke 5765 02/24/2004 09:35:03 SUMMARY-1 The following event has been reported 8 times in the last hour
1 datadict, Hit Ratio not achieved on file datadict and query (sc.manage.screen~="NULL"): 28327 02/24/2004 07:17:16 SUMMARY-1 The following event has been reported 4 times in the last hour
1 contacts, Partial File Scan for query involving fields {location, location.code}
1 contacts, Partial File Scan for query involving fields {location, email, company, location.code}
1 contacts, Partial File Scan for query involving fields {location, email, company, location.code}
1 contacts, Partial File Scan for query involving fields {first.name, location.code}
1 contacts, Partial File Scan for query involving fields {contact.name, location.code}
1 contacts, Partial File Scan for query involving fields {contact.name, location, location.code}
1 Scan for query involving fields {source, source.filename, source.active}
1 Scan for query involving fields {pm.number, application}
1 Scan for query involving fields {class.name}
1 Partial File Scan for query involving fields {inbox.type, operator.name, groups}
1 File Scan for query involving fields {evsysseq, evtype}
1 File Scan for query involving fields {depend, depend.filename, depend.active}

[tommy]

The number is a count of how many times that particular message appeared in the log.

What the next step is depends.

How long time does the log cover?

I don't think the first 2 alerts about globallist are critical.

Number 3 and 4 could be significant but it depends how long time the log covers. For example if it covers 1 hour of sc operation I would say it can have a significant impact on the performance. If the log covers 1 week it is not important.

Partial scan means that a query was done on fields that are not fully keyed.

[Benjetdover]

If I remember right I ran the grep against our file around noon. Our log files are archived nightly, so this would make the log contain info from around 6 am to 11 am roughly. Based on this it appears to be impacting?

If, so looking at the guides this is a performance 2 category. The admin guide states to create a key, but for which entry?
{depend, depend.filename, depend.active} and {source, source.filename, source.active}.


The guide points you to the error but does not list specifics. I appear to be missing somethings. I admit I am learning some of this on the fly. Our site is not high on spending training dollars.
Your help is greatful. Thanks.

[tommy]

How many users were logged on during that period? Did any experience poor performance?

If nobody had slow response I would not do anything about the partial scan alerts.

But if You want to do something then You need to look at the dbdict for screlation and review the current keys and first identify the keys that contain one or more the fields mentioned in the alert.

You can be in a situation where it is not advisable to change any of the keys. Sometimes changing a key can result in worse performance.


By the way, when I am troubleshooting performance issues I do not use that alert log. Instead I enable the debugdbquery that list all queries performed in sc. This also tells if a query is affecting performance.

[Benjetdover]

RE - We have a total of 20 named users and 35 floating licenses. On a normal day we have around a combined total of 35 - 40 users on a one time. We have only some reports of slow response, so you are most like ly correct about not doing anything. I have been attempting to understand to logs in a more effective manner.

We cannot run the debug query without shutting down the systems, this takes a scheduled time and at this point in time our group is not up to speed in analyzing the info created from this log data. I did this and sent to our Peregrine rep, he is asking us to convert a file back to file in main state. This is the only item he could identify from the logs after the debug query. Our normal logs give errors but we cannot find these errors in the knowledge base. I think our logs are missing some key pointers. The admin guides state the logs should provide you with "processid date time SCnnnnnn *****error message***. But our logs seem to be missing the SCnnnnnn id. I cannot find any info to change this.

I thank you for your help. If you have any areas I should look at in the Peregrine books to help let me know. How did you become familar with this data?

24840 02/26/2004 09:33:42 User orr, jon has logged in and is using a Named lice
nse (14 out of a maximum 20)
24840 02/26/2004 10:29:24 sqoracle: Length (82) of data for field brief.descrip
tion exceeds max (60), truncated
24840 02/26/2004 10:46:30 sqoracle: Length (68) of data for field brief.descrip
tion exceeds max (60), truncated
24840 02/26/2004 12:06:42 Could not find matching vobject address on format cc.
incident.g
24840 02/26/2004 12:06:42 Could not find matching vobject address on format cc.
incident.g
24840 02/26/2004 12:09:07 xvmsg_read: Error receiving data, Connection reset by
peer, errno(131)
24840 02/26/2004 12:09:07 Error in xvblockReceive
24840 02/26/2004 12:09:07 Process termination in progress
24840 02/26/2004 12:09:07 xprt_send: Error sending data over TCP connection,,
Broken pipe, errno(32)
24840 02/26/2004 12:09:07 xvmsg_send: Send failed, errno = 0

__________________________________________________ _____

How many users were logged on during that period? Did any experience poor performance?

If nobody had slow response I would not do anything about the partial scan alerts.

But if You want to do something then You need to look at the dbdict for screlation and review the current keys and first identify the keys that contain one or more the fields mentioned in the alert.

You can be in a situation where it is not advisable to change any of the keys. Sometimes changing a key can result in worse performance.


By the way, when I am troubleshooting performance issues I do not use that alert log. Instead I enable the debugdbquery that list all queries performed in sc. This also tells if a query is affecting performance.

[kernal74]

Download cygwin and use all those tasty UNIX commands on your bland windows machine! Best of all, its free!