Defining Log Decoder Parse Rules

Defining Log Decoder Parse RulesDefining Log Decoder Parse Rules

A single rule is defined by the following XML elements:

• RULE (element, required) - Each rule is enclosed in a RULE element.

  • id (attribute, required) - A name associated with the rule.

  • stop (attribute, optional) - An attribute to stop the rule.

  • order (attribute, optional) - An attribute to order the rule.

• LITERAL (child of RULE, requires one or more) - The literal defines the string inside each log message for which Log Decoder will search. Multiple literals can be defined.

  • value (attribute, required) = The string value for which to search.

• PATTERN (child of RULE, requires exactly one) - A pattern is defined as either a regex or a format.

  • regex (attribute, optional) - A regular expression that can be used to extract one or more values from the matched string.

  • format (attribute, optional) - A built-in format type for which to scan and extract values (see Built-In Format below).

  • range (attribute, optional) - Determines the range to be searched for the pattern before and after the found LITERAL token. It supports the following values:

    • Value: after
    • Description: Applies regex after the anchor till the end of the log. This is the default value.

    
    

    • Value: before
    • Description: Applies regex from the beginning of the log till the starting position of the anchor.

    
    

    • Value: all
    • Description: Applies regex to entire log.

    
    

    • Value:

      before, after

    • Description:

      Applies regex to entire log.

    
    

    • Value: Negative Integer (-X)
    • Description: Applies regex to X or available characters before the found LITERAL token.

    
    

    • Value:

      Positive Integer (+X)

    • Description:

      Applies regex to X or available characters after the found LITERAL token.

    
    

    • Value: -X, +Y (Combination of Positive and Negative Integers)
    • Description: Applies regex to X or available characters before the found LITERAL token to Y or available characters after the found LITERAL token. - range=”-15,+12”

    
    

    • Value:

      -X, after (Combination of Negative Character, and After)

    • Description:

      Applies regex to X or available characters before the found LITERAL token to the end of the log. - range=”-15,after”

    
    

• CAPTURE (child of PATTERN, optional) - A capture is used when extracting data from the log that was captured by the regular expression defined in PATTERN.

  • index (attribute, required) - The index of the regex match to capture.

  • key (attribute, required) - The meta key into which to assign the captured value.

  • format (attribute, optional) - The NwType of the key to be created (For example, Text, IPv4, UInt32 and so on). Default is Text.

• META (child of RULE, optional) - A meta element defines meta values that get created when there is a match for the pattern.

  • key (attribute, required) - The meta key into which to store the value.

  • value (attribute, required) - The value to store.

  • format (attribute, optional) - The NwType of the key to be created (For example, Text, IPv4, UInt32 and so on). Default is Text.

Note: The format defined in the CAPTURE and META elements determines the meta type of the corresponding key. If this meta key is defined elsewhere in Log Decoder (in another parser, a language file and so on) and the types do not match, then an error will be generated and parse rule could potentially be disabled.

Built-In Formats

Log Decoder Parse Rules also offer several built-in formats for the more commonly used types. These formats are: