KBI 310312 Regular Expressions To Exclude Perfmon Instances
Version
Argent Advanced Technology – All Versions
Argent Extended Technology – All Versions
Date
18 May 2012
Summary
This document details how to use Regular Expressions (Regex) in Windows Performance Rules to precisely exclude or include instances based on string patterns.
Technical Background
NOTE: All Argent AT products and Argent XT 8.0A-1101 and newer support GUI selection of multiple instances for inclusion or exclusion; simply hold down CTRL when selecting instances and select the appropriate GUI options. The Regex pattern matching feature gives significantly more flexibility when needed.
To read this document, it is necessary to understand basic Regex principles. This knowledge is assumed from this point forward. There are several excellent references on the Internet that cover Regex pattern matching if the reader wishes to study them.
Argent AT:
Argent AT supports matching instances via a positive matching Regex. Exclusions are done via a logical “not” operator outside the Regex pattern in the form of a GUI option. You will see how it works below.
In the Network Interface Card example, there are three different cases of matching instances based on different parts of a string.
This screenshot shows the Performance Rule configuration screen where we select the instances to be monitored. Check the box for “Regular Expression” and type in your Regex. Then, select the option to Include or Exclude matched instances from the list of instances returned. In the case below, we’ll first look at inclusions.
Looking at the Regex closely:
(^Atheros.*|.*AB76AF}|.*Tunneling.*)
^Atheros.* matches any string starting with the word Atheros and anything following that string. With this, one can match several network cards from the same manufacturer. You can also use spaces for more specific patterns like: ^Atheros AR.*
.*AB76AF} matches the specific isatap interface by specifying a match for the last characters of the string and anything before it.
.*Tunneling.* matches any instance with the word Tunneling anywhere in the string. Keep in mind Regex defaults to case-sensitive matching. To match different upper-lower case combinations, either specify each combination or utilize Regex’s case-insensitive modifier.
The pipe “|” character is a logical “or” within the Regex. If you only have one string, you can omit this character.
The result of the above Regex is the rule only gathering data about the matched instances as shown in the trace log excerpt below:
Rule: PRF_NIC_REGEX_EXAMPLE
Rule Result: Not Broken
(Perf. Var#1) \Network Interface(Atheros AR8151 PCI-E Gigabit Ethernet Controller [NDIS 6.20])\Bytes Received/sec = 0
(Perf. Var#2) \Network Interface(Teredo Tunneling Pseudo-Interface)\Bytes Received/sec = 0
(Perf. Var#3) \Network Interface(Atheros AR9002WB-1NG Wireless Network Adapter)\Bytes Received/sec = 140.35
(Perf. Var#4) \Network Interface(isatap.{D788C576-43BD-4CDC-BF39-DB16CAAB76AF})\Bytes Received/sec = 0
In the screenshot below, we reverse the inclusion/exclusion setting so that we exclude from monitoring all the instances that are matched and include all the instances that don’t match the Regex.
The trace log excerpt below shows the resulting instances:
Rule: PRF_NIC_TEST
Rule Result: Not Broken
(Perf. Var#1) \Network Interface(isatap.{7A11EC0D-D615-42BE-ABF7-2052B2252BF0})\Bytes Received/sec = 0
(Perf. Var#2) \Network Interface(isatap.{7E333D7A-BBF7-4223-8012-E33EE8776623})\Bytes Received/sec = 0
(Perf. Var#3) \Network Interface(isatap.{8921E1EB-1E26-4C8E-BD4F-2E9633913EA0})\Bytes Received/sec = 0
(Perf. Var#4) \Network Interface(Microsoft Loopback Adapter)\Bytes Received/sec = 0
This has great application to drive letters where simply putting a * to gather all instances yields the _Total instance, HardDiskVolume# instances and also unwanted drive letters. One may not want to track these instances. Thus, we use a Regex that includes only the drives we want:
[A-CE-Za-ce-z]:
The above Regex matches A:, B:, C:, E: and so on. Notice how D is missing from the list. We are positively matching all letters except D. Also, the _Total instance and any other HardDiskVolume# instances will not be matched. Also note how we add lowercase letters in case a machine provides a lowercase drive letter as an instance.
Here is the screenshot of the GUI portion:
In the trace log excerpt below, you can see that Argent found C:, D: and the _Total instance, but only evaluated data for the C: instance.
Rule: PRF_DISK_ALL_15_REGEX Rule Result: Not Broken (Perf. Var#1) \LogicalDisk(C:)\% Free Space = 82.21 ---------------------------------- Trace ------------------------------------------ 12:08:31.026 Start testing server AG-0157-XP using 64-bit Monitor Engine 12:08:35.163 \LogicalDisk(C:)\% Free Space = 82.21 12:08:35.164 \LogicalDisk(D:)\% Free Space = 93.59 12:08:35.164 \LogicalDisk(_Total)\% Free Space = 88.43
If we were to take an exclusion-based approach, and knew exactly what types of exclusions could exist, we could do something like below and change the inclusion/exclusion operator in the GUI:
([DF-H]:|HardDiskVolume.*|_Total)
This Regex matches, D:, F:, G:, H:, all HardDiskVolume# instances and the _Total instance. The Exclude Pattern GUI option excludes these matched strings.
The result is the trace log is the same as the previous example of inclusions.
Argent XT:
The same process applies for Argent XT with one change. Excluding patterns is not possible via a GUI option nor within the Regex. One must explicitly match the instances wanted. In the case of disk instance matching, one simply uses the positive match example above: [A-CE-Za-ce-z]: and changes it as needed to avoid unwanted instances.
The exclusion feature will not be added to Argent XT. A free upgrade to Argent AT is required for this feature.
Resolution
N/A