You can use the wizard to create or modify a pattern use the wizard to add and name columns that represent the structure of the records. The wizard includes features to set different indications on each column, such as type, length, optional, and column name. More information on each type is presented in the wizard itself.
Inserting a Field or Separator
To insert a field:
- In the Wizard pattern editor, click the + button.
The Add Field dialog box opens. - Follow the procedure in the following subsections that is relevant to the field or separator that you want to insert into the log record.
Note: Adding a field or separator can result in an error, such as The marked field causes the log to be unparsed. In this case, edit or remove the field.
Inserting a Separator
You can insert between log fields one or more spaces or tabs, or any other separator that you choose.
To insert a separator:
- In Type, select Separator.
- In Separator, select Space, Tab, or Custom.
- If you selected Custom, in Insert separator, type the character to be used as a separator.
- In Num of repeats, type the number of the selected separator to insert.
- To configure advanced settings for the separator, click Advanced. Otherwise, continue with step 7.
- If the selected separator does not appear in all records, select the Optional checkbox.
- Click Apply.
The log records are refreshed in the bottom pane showing the added separator.
Inserting a String Field
The following procedure describes how to insert into a log record a field that has a string value.
To insert a string field:
- In Type, select String.
- In Name, type the name of the field (column heading).
- To configure advanced settings for the field, click Advanced. Otherwise, continue with step 11.
- In UI Message Length, type the maximum length of data displayed in a column. If the data is longer than this value, it continues onto the next line(s).
- In Field Types, type the set of strings that describe the field.
- In Chars Length, type the length of the character string. If there are less characters for this field in a log record, characters are added to the string to force it to be this length.
- In Trim Chars, type a character or string to delete from the column value. For example, typing $ means that $ will be deleted from log records with $ in this field.
- In Delimiter Chars, type a character or string for delimiting the column.
- In Mask Column, define the masking of column text by selecting one of the following:
- Don't mask (default) - entire column value is displayed
- Mask entire column text - entire column value is not displayed
- Mask part of column text - part of the column value will be masked, use a regular expression and include the part you wish to mask inside a round brackets (). Note all masked values are replaced with six * - regardless of the masked value length.
- Admin user will see masking only in the patterns administration part, the values cannot be masked from users who are part of the XpoLog Administrators group.
- All users with patterns administration permissions (Edit log) will see all values in the patterns administration part.
- Users who are restricted from viewing masked data are not able to preform searches on this data, the masked data does not exist from these user's context.
- Select the GeoIP checkbox to enable GeoIP for this field.
- If this string does not appear in all records, select the Optional checkbox.
- Click Apply.
The log records are refreshed in the bottom pane showing the added field.
Inserting a Date Field
Inserting into a log record a field with a date value requires giving a name to the date field, and specifying how to format the date.
For example, if the text in the log is 2003-05-23 00:24:41,368, the format should be yyy-MM-dd HH:mm:ss,SSS.
Examples of optional identifiers are:
- MM – numeric month
- MMMMM – full textual month
- dd – numeric day
- EEEEE – full textual day
- EEE – textual day
- yy – two-digit year
- yyyy – four-digit year
- HH – 24 hour
- hh – 12 hour
- a – AM/PM marker
- mm – minute
- ss – second
- SSS – millisecond
- z – general time zone
- Z – RFC 822 time zone
- 'TEXT' – a constant text that appears in the date string
To insert a date field:
- In Type, select Date.
- In Name, type the name of the field (column heading).
- In Format, type the format to be used to format the date.
- To configure advanced settings for the field, click Advanced. Otherwise, continue with step 14.
- In UI Message Length, type the maximum length of data displayed in a column. If the data is longer than this value, it continues onto the next line(s).
- In Chars Length, type the length of the character string. If there are less characters for this field in a log record, characters are added to the string to force it to be this length.
- In Trim Chars, type a character or string to delete from the column value. For example, typing $ means that $ will be deleted from log records with $ in this field.
- In Delimiter Chars, type a character or string for delimiting the column.
- In Display Format, type the format in which to display the date.
- In Time Diff, specify the time offset in milliseconds. For example, to subtract 5 seconds from the result in the log view, type -5000.
Text in log: 2003-05-23 00:24:41,368
Time Diff Value: -5000
Result in the log view: 2003-05-23 00:24:36,368 - In Locale, specify the locale in which the log was written.
- In Locale View, specify the locale in which the log should be displayed.
- If this date field does not appear in all records, select the Optional checkbox.
- Click Apply.
The log records are refreshed in the bottom pane showing the added field.
Inserting a Text Field
Same as Inserting a String Field above.
Inserting a Priority Field
The following procedure describes how to insert into a log record a priority field.
To insert a priority field:
- In Type, select Priority.
- In Name, type the name of the field (column heading).
- In Set Priorities, specify the set of priorities that can appear in the field, in a semi-colon separated list. Example: DEBUG;INFO;WARN;ERROR;FATAL
- To configure advanced settings for the field, click Advanced. Otherwise, continue with step 9.
- In Chars Length, type the length of the character string. If there are less characters for this field in a log record, characters are added to the string to force it to be this length.
- In Trim Chars, type a character or string to delete from the column value. For example, typing $ means that $ will be deleted from log records with $ in this field.
- In Delimiter Chars, type a character or string for delimiting the column.
- In Mask Column, define the masking of column text by selecting one of the following:
- Don't mask (default) - entire column value is displayed
- Mask entire column text - entire column value is not displayed
- Mask part of column text - part of the column value will be masked, use a regular expression and include the part you wish to mask inside a round brackets (). Note all masked values are replaced with six * - regardless of the masked value length.
- Admin user will see masking only in administration part, the values cannot be masked from users who are part of the XpoLog Administrators group.
- All users with patterns administration permissions (Edit log) will see all values in the patterns administration part.
- Users who are restricted from viewing masked data are not able to preform searches on this data, the masked data does not exist from these user's context.
- If this field does not appear in all records, select the Optional checkbox.
- Click Apply.
The log records are refreshed in the bottom pane showing the added field.
Inserting a Choice Field
The following procedure describes how to insert into a log record a choice field.
To insert a choice field:
- In Type, select Choice.
- In Name, type the name of the field (column heading).
- In Set Choice, specify the set of choices that can appear in the field, in a semi-colon separated list. Example: RED;YELLOW;GREEN
- To configure advanced settings for the field, click Advanced. Otherwise, continue with step 10.
- In Chars Length, type the length of the character string. If there are less characters for this field in a log record, characters are added to the string to force it to be this length.
- In Trim Chars, type a character or string to delete from the column value. For example, typing $ means that $ will be deleted from log records with $ in this field.
- In Delimiter Chars, type a character or string for delimiting the column.
- In Mask Column, define the masking of column text by selecting one of the following:
- Don't mask (default) - entire column value is displayed
- Mask entire column text - entire column value is not displayed
- Mask part of column text - part of the column value will be masked, use a regular expression and include the part you wish to mask inside a round brackets (). Note all masked values are replaced with six * - regardless of the masked value length.
- Admin user will see masking only in administration part, the values cannot be masked from users who are part of the XpoLog Administrators group.
- All users with patterns administration permissions (Edit log) will see all values in the patterns administration part.
- Users who are restricted from viewing masked data are not able to preform searches on this data, the masked data does not exist from these user's context.
- If this field does not appear in all records, select the Optional checkbox.
- Click Apply.
The log records are refreshed in the bottom pane showing the added field.
Inserting a Numeric Field
The following procedure describes how to insert into a log record a numeric field.
To insert a numeric field:
- In Type, select Number.
- In Name, type the name of the field (column heading).
- To configure advanced settings for the field, click Advanced. Otherwise, continue with step 9.
- In Chars Length, type the length of the character string. If there are less characters for this field in a log record, characters are added to the string to force it to be this length.
- In Trim Chars, type a character or string to delete from the column value. For example, typing $ means that $ will be deleted from log records with $ in this field.
- In Delimiter Chars, type a character or string for delimiting the column.
- In Mask Column, define the masking of column text by selecting one of the following:
- Don't mask (default) - entire column value is displayed
- Mask entire column text - entire column value is not displayed
- Mask part of column text - part of the column value will be masked, use a regular expression and include the part you wish to mask inside a round brackets (). Note all masked values are replaced with six * - regardless of the masked value length.
- Admin user will see masking only in administration part, the values cannot be masked from users who are part of the XpoLog Administrators group.
- All users with patterns administration permissions (Edit log) will see all values in the patterns administration part.
- Users who are restricted from viewing masked data are not able to preform searches on this data, the masked data does not exist from these user's context.
- If this numeric field does not appear in all records, select the Optional checkbox.
- Click Apply.
The log records are refreshed in the bottom pane showing the added field.
Inserting a Timestamp Field
The following procedure describes how to insert into a log record a timestamp field.
To insert a timestamp field:
- In Type, select Timestamp.
- In Name, type the name of the field (column heading).
- In Display Format, type the format in which to display the time zone.
For example:
Text in log: 56895633232
Display Format: yyyy/MM/dd
Result in the log view: 2007/11/13 - To configure advanced settings for the field, click Advanced. Otherwise, continue with step 9.
- In Product, type the number by which to multiply the timestamp in the log to convert it into milliseconds. For example, to convert a timestamp in seconds to milliseconds, type 1000.
- If this timestamp field does not appear in all records, select the Optional checkbox.
- Click Apply.
The log records are refreshed in the bottom pane showing the added field.
Inserting a New Line Field
The following procedure describes how to insert into a log record a new line field
To insert a new line field:
- In Type, select New Line.
- Click Apply.
The log records are refreshed in the bottom pane showing the added field.
Inserting an End of Event Field
The following procedure describes how to insert into a log record an End of Event field.
To insert an end of event field:
- In Type, select End of Event.
- Click Apply.
The log records are refreshed in the bottom pane showing the added field.
Inserting a GeoIP Field
The following procedure describes how to insert into a log record a GeoIP field.
To insert a GeoIP field:
- In Type, select GeoIP.
- In Name, type the name of the field (column heading).
- In Information, type the information appearing in the field: Country, Region, City; Country; Country Code; Region; City; None.
- To configure advanced settings for the field, click Advanced. Otherwise, continue with step 9.
- In Ref Index, type the zero-based index of the source column. The regular expression will be extracted according to this reference.
- In Ref Name, type the zero-based name of the source column. The regular expression will be extracted according to this reference.
- In MaskIn Mask Column, define the masking of column text by selecting one of the following:
- Don't mask (default) - entire column value is displayed
- Mask entire column text - entire column value is not displayed
- Mask part of column text - part of the column value will be masked, use a regular expression and include the part you wish to mask inside a round brackets (). Note all masked values are replaced with six * - regardless of the masked value length.
- Admin user will see masking only in administration part, the values cannot be masked from users who are part of the XpoLog Administrators group.
- All users with patterns administration permissions (Edit log) will see all values in the patterns administration part.
- Users who are restricted from viewing masked data are not able to preform searches on this data, the masked data does not exist from these user's context.
- If this GeoIP field does not appear in all records, select the Optional checkbox.
- Click Apply.
The log records are refreshed in the bottom pane showing the added field.
Inserting a Term Field
A constant string that appears in a record and needs to be displayed in the log view. For example, assuming you have the next two records in your log:
03/07/2005 03:44:56 app1 IP=192.168.11.44 success (where IP is a source IP)
03/07/2005 03:44:57 app2 IP=192.168.12.33 failure (where IP is a destination IP)
The multi-pattern you should use is:
{date,dd/MM/yyyy HH:mm:ss} {term,app1} IP={text:Source IP} {string}
{date,dd/MM/yyyy HH:mm:ss} {term,app2} IP={text:Destination IP} {string}
This will result in the following log view:
03/07/2005 03:44:56 app1 192.168.11.44 success
03/07/2005 03:44:57 app2 192.168.12.33 failure
To insert a term field:
- In Type, select Term.
- In Name, type the name of the field (column heading).
- To configure advanced settings for the field, click Advanced. Otherwise, continue with step 7.
- In MaskIn Mask Column, define the masking of column text by selecting one of the following:
- Don't mask (default) - entire column value is displayed
- Mask entire column text - entire column value is not displayed
- Mask part of column text - part of the column value will be masked, use a regular expression and include the part you wish to mask inside a round brackets (). Note all masked values are replaced with six * - regardless of the masked value length.
- Admin user will see masking only in administration part, the values cannot be masked from users who are part of the XpoLog Administrators group.
- All users with patterns administration permissions (Edit log) will see all values in the patterns administration part.
- Users who are restricted from viewing masked data are not able to preform searches on this data, the masked data does not exist from these user's context.
- If this string does not appear in all records, select the Optional checkbox.
- Click Apply.
The log records are refreshed in the bottom pane showing the added field.
Inserting an IP Address Field
The following procedure describes how to insert into a log record an IP address field.
To insert an IP Address field:
- In Type, select IP Address.
- In Name, type the name of the field (column heading).
- To configure advanced settings for the field, click Advanced. Otherwise, continue with step 7.
- In Mask Column, define the masking of column text by selecting one of the following:
- Don't mask (default) - entire column value is displayed
- Mask entire column text - entire column value is not displayed
- Mask part of column text - part of the column value will be masked, use a regular expression and include the part you wish to mask inside a round brackets (). Note all masked values are replaced with six * - regardless of the masked value length.
- Admin user will see masking only in administration part, the values cannot be masked from users who are part of the XpoLog Administrators group.
- All users with patterns administration permissions (Edit log) will see all values in the patterns administration part.
- Users who are restricted from viewing masked data are not able to preform searches on this data, the masked data does not exist from these user's context.
- Select the GeoIP checkbox to enable GeoIP for this field.
- If this string does not appear in all records, select the Optional checkbox.
- Click Apply.
The log records are refreshed in the bottom pane showing the added field.