cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Log processing rule

tjay
Contributor

Hi,

I'm trying to parse an Apache log file, but "Test the rule" complains with "The matcher query doesn't match the provided log sample". Can someone tell why?

Process definition

PARSE(content, "IPADDR:'net.peer.ip'
SPACE
IPADDR:'net.proxy.ip'
' - '
LD:'enduser.id'
' [' TIMESTAMP('dd/MMM/yyyy:HH:mm:ss Z'):timestamp ']'
SPACE
'\"'
LD:'http.method'
SPACE
LD:'http.target'
SPACE
LD:'http.flavor'
'\"'
SPACE
INT:'http.status_code'
SPACE
LD:'http.response_content_length'
SPACE
'\"-\" \"' LD:'http.user_agent'
'; ' LD:'http.request.header.referrer' '\"'
(SPACE LD)? (EOL | EOF)")

Log sample

{
"content":"999.999.999.999 999.99.99.999 - - [31/Jan/2024:11:08:11 +0000] \"POST /xxx.php?doing_xxxxx=1706666891.5527100563049316406250 HTTP/1.1\" 200 - \"-\" \"MyApp/6.0; https://uat.xxxxx.com\""
}

6 REPLIES 6

tjay
Contributor

Even a simple parse is failing.

Process definition

PARSE(content, "IPADDR:'net.client.ip'
(SPACE LD)? (EOL | EOF)")

Log sample

{
"content":"99.999.999.999"
}

PacoPorro
Dynatrace Leader
Dynatrace Leader

Are you Log classic (v2) or Grail?
If grail, you should use

fetch logs
| parse content, "IPADDR:'net.client.ip' (SPACE LD)? (EOL | EOF)"

Thank you for your reply.

I'm doing it in the log processing and other built-in rules don't use fetch logs, etc.

I'm using the new one (I think it suggested to start using DQL from my memory).

PacoPorro
Dynatrace Leader
Dynatrace Leader

Try the processing with the fetch log (DQL) , should work.

Process Definition does not seem to like to have "fetch log".

tjay
Contributor

It turns out that I had to include other data in the sample section, ie, not only 'content'. The easiest way is to create a new rule from the logs and events screen by clicking "Create processing rule", which brings the necessary sample data automatically. 

Featured Posts