Group_try

The command group_try executes one or more commands in one of these modes:

• try_all tries all commands in the group, and ignores the return code of the commands.
• try_all_successively tries all the commands in the group, and ignores the return code of the commands.

  Each command tries to execute from the last position of the earlier successful command.

• try_until_success tries all the commands until one succeeds.
• try_until_fail tries all the commands until one fails.

The command group_try is commonly used when it parses a "free-text" piece of a log, which contains a number of fields we want to extract. For example:

%PIX-6-605004: Login denied from 194.29.40.24/4813 to outside:192.168.35.15/ssh for user 'root'

When you look at see this section of the log, you can use this structure:

Group_try Command Sample 1

In this example, the first try command in the group_try block (for the source) is executed.

If the source, destination and user are not in a specified sequence in the syslog, use the try_all mode instead of try_all_successively.

Group_try Command Sample 2

In this example, the regular expressions in the different commands try to match more specified logs. At most, one command in the group_try block will be successful. When it is found, it is not necessary to examine the others:

Note - When you add a new device, the first try command in the parsing file must use the try until success parameter:

:cmd_name (group_try)
:mode (try_until_success)
: (
….
)