By default, XpoLog applies an automated pattern to parse the logs, when you click the Save button on the first page of the Add Log wizard.
However, for certain log types (local, Windows Network, Over SSH, and Hadoop HDFS), XpoLog enables you to tune the log and parse it more deeply to normalize the log records into tabular format, by applying patterns on the incoming log data.
This can be performed from the Patterns Administration page, accessed by clicking the Next button on the first page of the Add Log wizard or Edit Log wizard.
The Patterns Administration page is divided into three sections, as follows:
- Upper pane – Text sample from the selected log. This pane presents the first 20 records from the incoming log (original data). You can copy paste other records from the incoming log data into this section, and then view the results of applying a pattern on those records (see Verifying Patterns on Manually Selected Data).
- Central pane – Provides you with three different ways for configuring patterns to apply on the log data.
- Wizard – Use the wizard to create or modify a pattern. As part of the wizard, you can set different indications on each column such as type, length, optional, column name and more (more information on each type is presented in the wizard itself).
- Manual – for advanced users who are familiar with the Pattern language (see Configuring a Manual Pattern).
- Automatic – XpoLog matches patterns automatically and suggests possible patterns for deeper parsing. Near each suggested pattern, is displayed in parentheses the level of accuracy of the system parsing using that pattern, i.e. the percentage of records that were successfully parsed.. This is only available when adding a log; not when editing a log.
- Bottom pane – Log records analysis results. Shows the results of each parsing, i.e. applying the pattern to the log data.
It may be necessary to configure more than one pattern for logs that have different types of records that cannot be represented by a single pattern. You can do so, by clicking the New tab in the central pane.