Solved: DQL Parse command

Sisapy09 · ‎17 Apr 2025

just practicing the DQL commands, can someone help me fix this parse command. it is from demo env. and if anyone have better document to understand the DQL with example. please share with me.

fetch logs
| filter matchesValue(loglevel, "Error")
| filter contains(content, "Failed to export to Stackdriver")
| fields content
| parse content, """TIMESTAMP:time LD:Error ':' LD:type ':' LD:code LD:desc"""

Sisapy09 · ‎17 Apr 2025

i tried this, able to extract fields but is there any better way to do it.

content: "2025/04/17 05:26:21 Failed to export to Stackdriver: rpc error: code = PermissionDenied desc = The caller does not have permission"

marco_irmer · ‎18 Apr 2025

My guess is that the TIMESTAMP matcher you are using needs to be modified with the format modifier in order to successfully extract the timestamp.

The DQL will then have the pattern defined in the format & position as shown in the example below:

| parse content, """TIMESTAMP('<pattern goes here>'):time LD:Error ':' LD:type ':' LD:code LD:desc"""

Sisapy09 · ‎21 Apr 2025

@marco_irmer it is not working, below is the content. try it if you can get the fields in easy format.

"2025/04/21 09:39:20 Failed to export to Stackdriver: rpc error: code = PermissionDenied desc = The caller does not have permission"

StrangerThing · ‎21 Apr 2025

data record(content="2025/04/21 09:39:20 Failed to export to Stackdriver: rpc error: code = PermissionDenied desc = The caller does not have permission")
| parse content, """TIMESTAMP('YYYY/MM/DD HH:mm:ss'):time LD:Error ':' LD:type ':' SPACE 'code = ' LD:code SPACE 'desc = 'LD:desc"""

Observability Engineer at FreedomPay