https://community.dynatrace.com/t5/Dynatrace-tips/DQL-Tips-and-Tricks-Parsing-Log-Data-Across-a-Multi-Line-Log/m-p/207088#M778 <P>If you're like me, you're probably brand new to the DQL world and are quickly trying to learn everything you can when it comes to DQL queries.</P> <P>&nbsp;</P> <P>I recently had a client request a query to pull 2 specific fields out of a log and display them with on the log table within Dynatrace's new Logs and Events (Powered by Grail) tab. After some time, I got a solution that worked exactly how they wanted, and figured others might want the information I discovered.</P> <P>&nbsp;</P> <P>Here's the setup:</P> <UL> <LI>The task was to 'grab text from a multi-line log file and report it out (one being a string called ITN and an IP address called client_ip)'</LI> </UL> <P>&nbsp;</P> <P>Here's the DQL query I used:</P> <P>&nbsp;</P> <P>&nbsp;</P> <LI-CODE lang="markup">fetch logs | filter contains(content, "Order modify unsuccessful") and dt.process.name == "tomcat" | parse content, "DATA 'Order modify unsuccessful' SPACE STRING:ITN" | parse content, "DATA 'clientIpAddress' LD ':' DQS:client_ip" | fields timestamp, content, ITN, client_ip </LI-CODE> <P>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>And here's what the output table looks like:</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="chris_smerek_0-1678922228923.png" style="width: 603px;"><img src="https://community.dynatrace.com/t5/image/serverpage/image-id/10486i6BC3EA6BBC631C6F/image-dimensions/603x98?v=v2" width="603" height="98" role="button" title="chris_smerek_0-1678922228923.png" alt="chris_smerek_0-1678922228923.png" /></span></P> <P>The key points to note on this query:</P> <UL> <LI>The 'DATA' content type is used to parse multi-line logs <UL> <LI>This had me stumped for a while as I was using LD (which only works on a single line of log data)</LI> </UL> </LI> <LI>The single quote 'Order modify unsuccessful' sets us up to point to the log data right after this string <UL> <LI>SPACE picks up a white space in between the last string and the next set of data we want to parse</LI> </UL> </LI> <LI>'STRING:ITN' tells the query to look for a string as the next set of log data, and save that string to a variable called 'ITN</LI> <LI>The next parse line is very similar to the previous one, except we want to pull out the IP address that's enclosed between double quotes <UL> <LI>'DQS:client_ip' pulls out any data that exists between a set of double quotes, and saves it to the variable called 'client_ip' <UL> <LI>Technically I could have used IPADDR here, but DQS made it easier for me to get the exact data</LI> </UL> </LI> </UL> </LI> <LI>The final line of the query just gives us a clean output table which displays the relevant information, namely the timestamp of the log, log content, and our 2 custom variables</LI> </UL> <P>&nbsp;</P> <P>That's it! I've posted a mock log file below this as well if folks want to give it a try on their own time:</P> <P>&nbsp;</P> <P>&nbsp;</P> <LI-CODE lang="markup">2023/03/15 16:05:48.279 [ERROR] http-ono-8080-heyo-117 (com.test.are.we.OrderES) -&gt; {"testTransactionID":"123-456-789-10101-F90000000009","clientIpAddress":"192.168.12.122"}, ErrorException: [2405] Order modify unsuccessful (AB23JK) at com.website.are.bll.order.OrderBLLImpl.modifyOrder(OrderTESTImpl.java:1111) at com.website.are.ws.OrderWS.modifyOrder(OrderWS.java:222) at java.lang.reflect.Method.invoke(Method.java:333) at org.springframework.web.method.support.InvocableHandlerMethod.doInvoke(InvocableHandlerMethod.java:444)</LI-CODE> <P>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>Hope this is helpful to anyone just starting out with DQL queries!</P> Fri, 24 Mar 2023 09:39:45 GMT chris_smerek 2023-03-24T09:39:45Z https://community.dynatrace.com/t5/Dynatrace-tips/DQL-Tips-and-Tricks-Parsing-Log-Data-Across-a-Multi-Line-Log/m-p/207088#M778 <P>If you're like me, you're probably brand new to the DQL world and are quickly trying to learn everything you can when it comes to DQL queries.</P> <P>&nbsp;</P> <P>I recently had a client request a query to pull 2 specific fields out of a log and display them with on the log table within Dynatrace's new Logs and Events (Powered by Grail) tab. After some time, I got a solution that worked exactly how they wanted, and figured others might want the information I discovered.</P> <P>&nbsp;</P> <P>Here's the setup:</P> <UL> <LI>The task was to 'grab text from a multi-line log file and report it out (one being a string called ITN and an IP address called client_ip)'</LI> </UL> <P>&nbsp;</P> <P>Here's the DQL query I used:</P> <P>&nbsp;</P> <P>&nbsp;</P> <LI-CODE lang="markup">fetch logs | filter contains(content, "Order modify unsuccessful") and dt.process.name == "tomcat" | parse content, "DATA 'Order modify unsuccessful' SPACE STRING:ITN" | parse content, "DATA 'clientIpAddress' LD ':' DQS:client_ip" | fields timestamp, content, ITN, client_ip </LI-CODE> <P>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>And here's what the output table looks like:</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="chris_smerek_0-1678922228923.png" style="width: 603px;"><img src="https://community.dynatrace.com/t5/image/serverpage/image-id/10486i6BC3EA6BBC631C6F/image-dimensions/603x98?v=v2" width="603" height="98" role="button" title="chris_smerek_0-1678922228923.png" alt="chris_smerek_0-1678922228923.png" /></span></P> <P>The key points to note on this query:</P> <UL> <LI>The 'DATA' content type is used to parse multi-line logs <UL> <LI>This had me stumped for a while as I was using LD (which only works on a single line of log data)</LI> </UL> </LI> <LI>The single quote 'Order modify unsuccessful' sets us up to point to the log data right after this string <UL> <LI>SPACE picks up a white space in between the last string and the next set of data we want to parse</LI> </UL> </LI> <LI>'STRING:ITN' tells the query to look for a string as the next set of log data, and save that string to a variable called 'ITN</LI> <LI>The next parse line is very similar to the previous one, except we want to pull out the IP address that's enclosed between double quotes <UL> <LI>'DQS:client_ip' pulls out any data that exists between a set of double quotes, and saves it to the variable called 'client_ip' <UL> <LI>Technically I could have used IPADDR here, but DQS made it easier for me to get the exact data</LI> </UL> </LI> </UL> </LI> <LI>The final line of the query just gives us a clean output table which displays the relevant information, namely the timestamp of the log, log content, and our 2 custom variables</LI> </UL> <P>&nbsp;</P> <P>That's it! I've posted a mock log file below this as well if folks want to give it a try on their own time:</P> <P>&nbsp;</P> <P>&nbsp;</P> <LI-CODE lang="markup">2023/03/15 16:05:48.279 [ERROR] http-ono-8080-heyo-117 (com.test.are.we.OrderES) -&gt; {"testTransactionID":"123-456-789-10101-F90000000009","clientIpAddress":"192.168.12.122"}, ErrorException: [2405] Order modify unsuccessful (AB23JK) at com.website.are.bll.order.OrderBLLImpl.modifyOrder(OrderTESTImpl.java:1111) at com.website.are.ws.OrderWS.modifyOrder(OrderWS.java:222) at java.lang.reflect.Method.invoke(Method.java:333) at org.springframework.web.method.support.InvocableHandlerMethod.doInvoke(InvocableHandlerMethod.java:444)</LI-CODE> <P>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>Hope this is helpful to anyone just starting out with DQL queries!</P> Fri, 24 Mar 2023 09:39:45 GMT https://community.dynatrace.com/t5/Dynatrace-tips/DQL-Tips-and-Tricks-Parsing-Log-Data-Across-a-Multi-Line-Log/m-p/207088#M778 chris_smerek 2023-03-24T09:39:45Z https://community.dynatrace.com/t5/Dynatrace-tips/DQL-Tips-and-Tricks-Parsing-Log-Data-Across-a-Multi-Line-Log/m-p/212144#M838 <P>Thank you for these tips and tricks&nbsp;<a href="https://community.dynatrace.com/t5/user/viewprofilepage/user-id/51817">@chris_smerek</a>&nbsp;</P> Fri, 12 May 2023 19:39:48 GMT https://community.dynatrace.com/t5/Dynatrace-tips/DQL-Tips-and-Tricks-Parsing-Log-Data-Across-a-Multi-Line-Log/m-p/212144#M838 ChadTurner 2023-05-12T19:39:48Z