Skip to content
  • There are no suggestions because the search field is empty.

Defining Log Decoder Parse Rules

Defining Log Decoder Parse RulesDefining Log Decoder Parse Rules

A single rule is defined by the following XML elements:

  • RULE (element, required) - Each rule is enclosed in a RULE element.

    • id (attribute, required) - A name associated with the rule.

    • stop (attribute, optional) - An attribute to stop the rule.

    • order (attribute, optional) - An attribute to order the rule.

  • LITERAL (child of RULE, requires one or more) - The literal defines the string inside each log message for which Log Decoder will search. Multiple literals can be defined.

    • value (attribute, required) = The string value for which to search.

  • PATTERN (child of RULE, requires exactly one) - A pattern is defined as either a regex or a format.

    • regex (attribute, optional) - A regular expression that can be used to extract one or more values from the matched string.

    • format (attribute, optional) - A built-in format type for which to scan and extract values (see Built-In Format below).

    • range (attribute, optional) - Determines the range to be searched for the pattern before and after the found LITERAL token. It supports the following values:

  • CAPTURE (child of PATTERN, optional) - A capture is used when extracting data from the log that was captured by the regular expression defined in PATTERN.

    • index (attribute, required) - The index of the regex match to capture.

    • key (attribute, required) - The meta key into which to assign the captured value.

    • format (attribute, optional) - The NwType of the key to be created (For example, Text, IPv4, UInt32 and so on). Default is Text.

  • META (child of RULE, optional) - A meta element defines meta values that get created when there is a match for the pattern.

    • key (attribute, required) - The meta key into which to store the value.

    • value (attribute, required) - The value to store.

    • format (attribute, optional) - The NwType of the key to be created (For example, Text, IPv4, UInt32 and so on). Default is Text.

Note: The format defined in the CAPTURE and META elements determines the meta type of the corresponding key. If this meta key is defined elsewhere in Log Decoder (in another parser, a language file and so on) and the types do not match, then an error will be generated and parse rule could potentially be disabled.

Built-In Formats

Log Decoder Parse Rules also offer several built-in formats for the more commonly used types. These formats are: