https://community.dynatrace.com/t5/DQL/Why-is-this-so-hard-Simple-log-parsing/m-p/301229#M3398 <P>Sometimes this works, sometimes it does not.... and quite frankly, the documentation is not helpful. Here is a log entry:</P> <P>Jun 25 15:31:20 HOSTNAME CEF:0|Netwrix|Activity Monitor|9.0.1477|Windows File SystemReadTrueFalse|FileMonitor|3|rt=2026-06-25 15:31:20.431 sntdom=MYDOMAIN suser=MYDOMAIN\asmith src=192.168.241.12 duser=<U><STRONG>C:\cycfgvol1\DEMProfile10\asmith\Desktop\MyCo Service Portal.lnk</STRONG></U> shost=MYCONETNAS01 msg=Policy Name= FileMonitor Object Class= Success= True Blocked= False Attribute Name= New Attribute Value= Old Attribute Value= Operation= Read</P> <P>The part that is bold and underlined is what I want to extract. Below is the DQL query I'm presently attempting to use (I get null values)</P> <P>fetch logs<BR />| parse content,"'duser= ' ALNUM:fPath 'shost="<BR />| filter ((matchesValue(dt.ingest.source.ip, "192.168.2.88")))</P> <P>I've also tried:</P> <P>fetch logs<BR />| parse content,"LD:text 'duser= ' LD{0,255}:thread1 'shost='"<BR />| filter ((matchesValue(dt.ingest.source.ip, "192.168.2.88")))</P> <P>&nbsp;</P> <P>and the weird part, parsing another string out of the log line, this works...</P> <P>fetch logs<BR />| parse content, "LD:text '|Windows File' LD{0,100}:PureCommand '|'"<BR />| fields PureCommand, dt.ingest.source.ip, content<BR />| filter ((matchesValue(dt.ingest.source.ip, "10.20.11.88")) )</P> <P>&nbsp;</P> <P>Ideally, I would like to extract both fields in the same DQL query.&nbsp;</P> <P>P.S. - if anyone has a "real" source of documentation for parse and DPL I'd be very interested in it... the 2 pages in the official doc's are sorely lacking.</P> <P>&nbsp;</P> <P>Thank you in advance.</P> <P>&nbsp;</P> Fri, 26 Jun 2026 06:30:58 GMT jim_hinze 2026-06-26T06:30:58Z https://community.dynatrace.com/t5/DQL/Why-is-this-so-hard-Simple-log-parsing/m-p/301229#M3398 <P>Sometimes this works, sometimes it does not.... and quite frankly, the documentation is not helpful. Here is a log entry:</P> <P>Jun 25 15:31:20 HOSTNAME CEF:0|Netwrix|Activity Monitor|9.0.1477|Windows File SystemReadTrueFalse|FileMonitor|3|rt=2026-06-25 15:31:20.431 sntdom=MYDOMAIN suser=MYDOMAIN\asmith src=192.168.241.12 duser=<U><STRONG>C:\cycfgvol1\DEMProfile10\asmith\Desktop\MyCo Service Portal.lnk</STRONG></U> shost=MYCONETNAS01 msg=Policy Name= FileMonitor Object Class= Success= True Blocked= False Attribute Name= New Attribute Value= Old Attribute Value= Operation= Read</P> <P>The part that is bold and underlined is what I want to extract. Below is the DQL query I'm presently attempting to use (I get null values)</P> <P>fetch logs<BR />| parse content,"'duser= ' ALNUM:fPath 'shost="<BR />| filter ((matchesValue(dt.ingest.source.ip, "192.168.2.88")))</P> <P>I've also tried:</P> <P>fetch logs<BR />| parse content,"LD:text 'duser= ' LD{0,255}:thread1 'shost='"<BR />| filter ((matchesValue(dt.ingest.source.ip, "192.168.2.88")))</P> <P>&nbsp;</P> <P>and the weird part, parsing another string out of the log line, this works...</P> <P>fetch logs<BR />| parse content, "LD:text '|Windows File' LD{0,100}:PureCommand '|'"<BR />| fields PureCommand, dt.ingest.source.ip, content<BR />| filter ((matchesValue(dt.ingest.source.ip, "10.20.11.88")) )</P> <P>&nbsp;</P> <P>Ideally, I would like to extract both fields in the same DQL query.&nbsp;</P> <P>P.S. - if anyone has a "real" source of documentation for parse and DPL I'd be very interested in it... the 2 pages in the official doc's are sorely lacking.</P> <P>&nbsp;</P> <P>Thank you in advance.</P> <P>&nbsp;</P> Fri, 26 Jun 2026 06:30:58 GMT https://community.dynatrace.com/t5/DQL/Why-is-this-so-hard-Simple-log-parsing/m-p/301229#M3398 jim_hinze 2026-06-26T06:30:58Z https://community.dynatrace.com/t5/DQL/Why-is-this-so-hard-Simple-log-parsing/m-p/301231#M3399 <P>Update...</P><P>This works</P><P>fetch logs<BR />| parse content, """LD 'duser=' LD:test 'shost='"""</P><P>&nbsp;</P><P>Next question, if I wanted to parse out part of the path returned, how do I escape the '\'</P><P>The following doesn't work</P><P>fetch logs<BR />| parse content, """LD 'duser=c:\\<U>cycfgvol1\\</U>' LD:test 'shost='"""</P> Thu, 25 Jun 2026 21:35:46 GMT https://community.dynatrace.com/t5/DQL/Why-is-this-so-hard-Simple-log-parsing/m-p/301231#M3399 jim_hinze 2026-06-25T21:35:46Z https://community.dynatrace.com/t5/DQL/Why-is-this-so-hard-Simple-log-parsing/m-p/301232#M3400 <P>Use DPL architect (click on extract fields).<BR />Probably you want something this (use any line data for duser value, extract into duser field until shost= is found:</P><LI-CODE lang="markup">| parse content, """LD 'duser=' LD:duser ' shost='"""</LI-CODE><P>&nbsp;</P><P>&nbsp;</P> Thu, 25 Jun 2026 21:39:37 GMT https://community.dynatrace.com/t5/DQL/Why-is-this-so-hard-Simple-log-parsing/m-p/301232#M3400 Julius_Loman 2026-06-25T21:39:37Z https://community.dynatrace.com/t5/DQL/Why-is-this-so-hard-Simple-log-parsing/m-p/301240#M3401 <P>Maybe you can try with this approach, extracting the fields with DPL, then parse the path with DQL</P><LI-CODE lang="markup">| parse content, """LD '|Windows File' LD:PureCommand '|' LD "duser=" LD:path "shost="""" | fieldsAdd pathArray=splitString(path, "\\") | fieldsAdd pathElement2=pathArray[2], fileName=arrayLast(pathArray)</LI-CODE> Fri, 26 Jun 2026 06:14:32 GMT https://community.dynatrace.com/t5/DQL/Why-is-this-so-hard-Simple-log-parsing/m-p/301240#M3401 GerardJ 2026-06-26T06:14:32Z