Log File Parser Definition

The Log File Parser Definition page defines templates and parameters used to parse log files. Definitions are subsequently assigned to machine IDs using the Log Parser page. Log parsers are initially private, but can be shared with other administrators.

The Log File Parsing Cycle

The parsing of a log file is triggered whenever the log file is changed. In most cases this involves appending new text to the end of the file. To avoid scanning the entire log file from the beginning each time the file is updated, the agent parses log files as follows:

After each update the agent stores a "bookmark" of the last 512 bytes of a log file.
When the log file is updated again, the agent compares the bookmark from the old update with the same byte position in the new update.
Since log files may be archived before the log parser is run, parsing can include archives files if they exist.
You can specify sets of log files and sets of archive files by specifying full pathnames with asterisk (*) and question mark (?) wildcards. If a set of files is specified the parser begins with the latest file in the set.
If the bookmark text is the same in both the old update and the new update, the agent begins parsing text after the bookmark.
If the bookmark text is not the same and no Log Archive Path is specified, the agent parses the entire log file from the beginning. If a Log Archive Path is specified, the agent searches for the bookmark in the archive files. If the bookmark cannot be found, the agent bookmarks the end of the log file and starts parsing from there in the next cycle.
Once parsing is completed a new bookmark is defined based on the last 512 bytes of the newly updated log file and the process repeats itself.

Note: The parsing of a log file is not a script event itself. Only a new configuration, or reconfiguration, using Log Parser, Assign Parser Sets or Parser Summary generates a script you can see in the Script History or Pending Script tabs of the Machine Summary page.

Save

Select Save to save changes to a log file parser definition.

Save As...

Select Save As... to save a log file parser definition under a different name.

Delete

Select Delete to delete a log file parser definition.

Share...

You can share log file parser definitions you own with other individual administrators, administrator roles, or make the script public to all administrators.

Parser Name

Enter the name of the parser.

Log File Path

Enter the full UNC pathname or mapped drive pathname on the target machine of the log file you want to parse. You can use asterisk (*) or question mark (?) wildcards to specify a set of log files. If a log file set is specified, the log parser starts with the latest log file first. Example: \\morpheus\var\log\messages or n:\var\log\messages.

Log Archive Path

Enter the full UNC pathname or mapped drive pathname on the target machine of the archive files you want to parse. You can use asterisk (*) or question mark (?) wildcards to specify a set of archive files. If an archive set is specified, the log parser starts with the latest log file first. Example: \\morpheus\var\log\messages.* or n:\var\log\messages.*.

Description

Enter a description for the log parser.

Template

Enter a pattern of text and log file parameters. This pattern is used to search from the beginning of each line in a log file. If a pattern finds a match in the log file, the log file parameters in the pattern are populated with the values extracted from the log file.

You can use a percent (%) wildcard to specify an alphanumeric string of any length. A log file parameter is bracketed with the dollar ($) symbol. Enter $$ to match a pattern of text containing a $ symbol. Enter %% to match a pattern of text containing a % symbol.

Note: Template text patterns are case sensitive.

Example:

Log text: 126 Oct 19 2007 12:30:30 127.0.0.1 Device0[123]: return error code -1!
Template: $EventCode$ $Time$ $HostComputer$ $Dev$[$PID$]:%error code $ErrorCode$!
Parsed result:
EventCode=126
Time= 2007/10/19 12:30:30 Friday
HostComputer=127.0.0.1
Dev=Device0
PID=123
ErrorCode=-1

Guidelines:

To enter a tab character in the template edit box:
1. Copy and paste a tab character from log data.
2. Use {tab} if it is enter manually.
To create a template it is easier to copy the original text into the template, then replace the characters that can be ignored with %. Then replace the characters that are saved to a parameter with a parameter name.
Make sure all parameters in the template are defined in Log File Parameters.
A date time parameter must have both date and time information from the source data, otherwise just use a string parameter.

Multiline Template

If checked, multiple lines of text and log file parameters are used to parse the log file.

Output Template

Enter a pattern of text and log file parameters to store in Log Monitoring.

Example:

Output template: Received device error from $Dev$ on $HostComputer$. Code = $ErrorCode$.
Result output: Received device error from Device0 on 127.0.0.1. Code = -1.

Apply

Click Apply to add or update a parameter entered in the Name field.

Clear All

Click Clear All to remove all parameters from the parameter list.

Log File Parameters

Name

Enter the name of a parameter used to store a value. Parameters are subsequently used in the Template and Output Template text boxes.

Note: Do not bracket the name of the parameter with $ symbols in the Name field. This is only required when the parameter is entered in the Template and Output Template text boxes.

Type

Enter the data type appropriate for the parameter. If data parsed from a log file cannot be stored using that data type, the parameter remains empty.

Date Format

If the Type selected is Date Time, enter a Date Format.

yy, yyyy, YY, YYYY - two or four digit year
M - single or two digit month
MM - two digit month
MMM - abbreviation of month name, ex. "Jan"
MMMM - full month name, ex. "January"
D, d - single or two digit day
DD, dd - two digit day
DDD, ddd - abbreviation name of day of week, Ex. "Mon"
DDDD, dddd - full name of day of week, ex. "Monday"
H, h - single or two digit hour
HH, hh - two digit hour
m - single or two digit minute
mm - two digit minute
s - single or two digit second
ss - two digit second
f - one or more digit of fraction of second
ff - fffffffff - two to nine digit
t - one character time mark, ex. "a"
tt - two-character time mark, ex. "am"
Note: If you include a $Time$ parameter in your template, Log Monitoring uses the time stored in the $Time$ parameter as the log entry time. Date and time filtering is based on the log entry time. If a $Time$ parameter is not included in your template, then the time the entry was added to Log Monitoring serves as the log entry time.

Example:

Date time string: Oct 19 2007 12:30:30
DateTime template: MMM DD YYYY hh:mm:ss

UTC Date

Log Monitoring stores all date/time values as universal time, coordinated (UTC). This enables UTC date and times to be automatically converted to the administrator's local time when Log Monitoring data is displayed or when reports are generated.

If blank, the date and time values stored in the log file parameter are converted from the local time of the machine ID assigned the log parser to UTC. If checked, the date and time values stored in the log file parameter are UTC and no conversion is necessary.

Topic 3733: Send Feedback. Download a PDF of this online book from the first topic in the table of contents.