You can use the wizard to create or modify a pattern use the wizard to add and name columns that represent the structure of the records. The wizard includes features to set different indications on each column, such as type, length, optional, and column name. More information on each type is presented in the wizard itself.
Inserting a Field or Separator
To insert a field:
- In the Wizard pattern editor, click the + button.
The Add Field dialog box opens. - In Type, select Separator or another field type, such as String, Text, Date, Priority, Choices, Number, Timestamp, New Line, End of Event, GeoIP, IP Address, Term, Free Text, or an Advanced Option –Regular Expression, Function, Converter, or Google App Engine.
The parameters that have to be provided for the selected field type are displayed. - If you want to configure more parameters for the field, click the Advanced link to open the additional parameters for the selected field type.
Complete the parameters, and then click Apply.
Inserting a Separator
You can insert between log fields one or more spaces or tabs, or any other separator that you choose.
- In Type, select Separator.
- In Separator, select Space, Tab, or Custom.
- If you selected Custom, in Insert separator, type the character to be used as a separator.
- In Num of repeats, type the number of the selected separator to insert.
- To configure advanced settings for the separator, click Advanced. Otherwise, continue with step 7.
- If the selected separator does not appear in all records, select the Optional checkbox.
- Click Apply.
The log records are refreshed in the bottom pane showing the added separator.
Note: After clicking Apply, you may get an error, such as The marked field causes the log to be unparsed. In this case, edit or remove the separator.
Inserting a String Field
The following procedure describes how to insert into a log record a field that has a string value.
- In Type, select String.
- In Name, type the name of the field (column heading).
- To configure advanced settings for the field, click Advanced. Otherwise, continue with step 11.
- In UI Message Length, type the maximum length of data displayed in a column. If the data is longer than this value, it continues onto the next line(s).
- In Chars Length, type the length of the character string. If there are less characters for this field in a log record, characters are added to the string to force it to be this length.
- In Trim Chars, type a character or string to delete from the column value. For example, typing $ means that $ will be deleted from log records with $ in this field.
- In Delimiter Chars, type a character or string for delimiting the column.
- In Mask Column, define the masking of column text by selecting one of the following: Don't mask (default), Mask entire column text, Mask part of column text.
- Select the GeoIP checkbox to enable GeoIP for this field.
- If this string does not appear in all records, select the Optional checkbox.
- Click Apply.
The log records are refreshed in the bottom pane showing the added field.
Note: After clicking Apply, you may get an error, such as The marked field causes the log to be unparsed. In this case, edit or remove the field.
Inserting a Date Field
Inserting into a log record a field with a date value requires giving a name to the date field, and specifying how to format the date.
For example, if the text in the log is 2003-05-23 00:24:41,368, the format should be yyy-MM-dd HH:mm:ss,SSS.
Examples of optional identifiers are:
- MM – numeric month
- MMMMM – full textual month
- dd – numeric day
- EEEEE – full textual day
- EEE – textual day
- yy – two-digit year
- yyyy – four-digit year
- HH – 24 hour
- hh – 12 hour
- a – AM/PM marker
- mm – minute
- ss – second
- SSS – millisecond
- z – general time zone
- Z – RFC 822 time zone
- 'TEXT' – a constant text that appears in the date string
- In Type, select Date.
- In Name, type the name of the field (column heading).
- In Format, type the format to be used to format the date.
- To configure advanced settings for the field, click Advanced. Otherwise, continue with step 13.
- In UI Message Length, type the maximum length of data displayed in a column. If the data is longer than this value, it continues onto the next line(s).
- In Chars Length, type the length of the character string. If there are less characters for this field in a log record, characters are added to the string to force it to be this length.
- In Trim Chars, type a character or string to delete from the column value. For example, typing $ means that $ will be deleted from log records with $ in this field.
- In Delimiter Chars, type a character or string for delimiting the column.
- In Display Format, type the format in which to display the date.
- In Locale, specify the locale in which the log was written.
- In Locale View, specify the locale in which the log should be displayed.
- If this string does not appear in all records, select the Optional checkbox.
- Click Apply.
The log records are refreshed in the bottom pane showing the added field.
Note: After clicking Apply, you may get an error, such as The marked field causes the log to be unparsed.In this case, edit or remove the field.
Inserting a Date Field
Inserting into a log record a field with a date value requires giving a name to the date field, and specifying how to format the date.
For example, if the text in the log is 2003-05-23 00:24:41,368, the format should be yyy-MM-dd HH:mm:ss,SSS.
Examples of optional identifiers are:
- MM – numeric month
- MMMMM – full textual month
- dd – numeric day
- EEEEE – full textual day
- EEE – textual day
- yy – two-digit year
- yyyy – four-digit year
- HH – 24 hour
- hh – 12 hour
- a – AM/PM marker
- mm – minute
- ss – second
- SSS – millisecond
- z – general time zone
- Z – RFC 822 time zone
- 'TEXT' – a constant text that appears in the date string
- In Type, select Date.
- In Name, type the name of the field (column heading).
- In Format, type the format to be used to format the date.
- To configure advanced settings for the field, click Advanced. Otherwise, continue with step 13.
- In UI Message Length, type the maximum length of data displayed in a column. If the data is longer than this value, it continues onto the next line(s).
- In Chars Length, type the length of the character string. If there are less characters for this field in a log record, characters are added to the string to force it to be this length.
- In Trim Chars, type a character or string to delete from the column value. For example, typing $ means that $ will be deleted from log records with $ in this field.
- In Delimiter Chars, type a character or string for delimiting the column.
- In Display Format, type the format in which to display the date.
- In Locale, specify the locale in which the log was written.
- In Locale View, specify the locale in which the log should be displayed.
- If this string does not appear in all records, select the Optional checkbox.
- Click Apply.
The log records are refreshed in the bottom pane showing the added field.
Note: After clicking Apply, you may get an error, such as The marked field causes the log to be unparsed. In this case, edit or remove the field.