Solved: Re: Log processing rule

tjay · ‎31 Jan 2024

Hi,

I'm trying to parse an Apache log file, but "Test the rule" complains with "The matcher query doesn't match the provided log sample". Can someone tell why?

Process definition

PARSE(content, "IPADDR:'net.peer.ip'
SPACE
IPADDR:'net.proxy.ip'
' - '
LD:'enduser.id'
' [' TIMESTAMP('dd/MMM/yyyy:HH:mm:ss Z'):timestamp ']'
SPACE
'\"'
LD:'http.method'
SPACE
LD:'http.target'
SPACE
LD:'http.flavor'
'\"'
SPACE
INT:'http.status_code'
SPACE
LD:'http.response_content_length'
SPACE
'\"-\" \"' LD:'http.user_agent'
'; ' LD:'http.request.header.referrer' '\"'
(SPACE LD)? (EOL | EOF)")

Log sample

{
"content":"999.999.999.999 999.99.99.999 - - [31/Jan/2024:11:08:11 +0000] \"POST /xxx.php?doing_xxxxx=1706666891.5527100563049316406250 HTTP/1.1\" 200 - \"-\" \"MyApp/6.0; https://uat.xxxxx.com\""
}

tjay · ‎31 Jan 2024

Even a simple parse is failing.

Process definition

PARSE(content, "IPADDR:'net.client.ip'
(SPACE LD)? (EOL | EOF)")

Log sample

{
"content":"99.999.999.999"
}

PacoPorro · ‎31 Jan 2024

Are you Log classic (v2) or Grail?
If grail, you should use

fetch logs
| parse content, "IPADDR:'net.client.ip' (SPACE LD)? (EOL | EOF)"

tjay · ‎31 Jan 2024

Thank you for your reply.

I'm doing it in the log processing and other built-in rules don't use fetch logs, etc.

I'm using the new one (I think it suggested to start using DQL from my memory).

PacoPorro · ‎31 Jan 2024

Try the processing with the fetch log (DQL) , should work.

tjay · ‎01 Feb 2024

Process Definition does not seem to like to have "fetch log".

tjay · ‎02 Feb 2024

It turns out that I had to include other data in the sample section, ie, not only 'content'. The easiest way is to create a new rule from the logs and events screen by clicking "Create processing rule", which brings the necessary sample data automatically.