14 Nov 2023 03:16 PM
Hello,
We are facing a problem parsing log lines where we understand that the root cause is due to the data being multiline.
Below is an example log:
2023-02-31 11:51:28,988 - INFO - Prediction Output: class0_proba=0.00 class1_proba=0.00
INFO: 0.0.0.0:12345 - "POST /api/v1/model/string/predict HTTP/1.1" 200 OK
We would like to parse the Status Code information but it is not being effective:
fetch logs
| filter contains(content, "POST")
| parse content, "LD 'HTTP/1.1\"' LD:httpcode "
In a log that is not multiline this parse works correctly. Does anyone have any idea how we can extract this information?
Solved! Go to Solution.
14 Nov 2023 04:43 PM
Hi @MarcioKaue
The reason why is because LD is only matching one single line. You have to use the DATA matcher, which is the multiline matcher.
| parse content, """DATA 'HTTP/1.1\" ' INT:httpcode"""
Best,
Sini
14 Nov 2023 06:05 PM
Thanks @sinisa_zubic , it worked perfectly!
14 Nov 2023 06:45 PM
@sinisa_zubic ,Can we also get other fields using DATA?
Example get status code and API name "/api/v1/model/string/predict"
14 Nov 2023 07:16 PM
yes you can
| parse content, """DATA '"' ALPHA:method ' ' LD:apiName ' HTTP/1.1\" ' INT:httpcode"""
If you are new to the Dynatrace Pattern Language, I would suggest that you check out those two resources
https://www.dynatrace.com/news/blog/speed-up-your-security-investigations-with-dpl-architect/
https://docs.dynatrace.com/docs/platform/grail/dynatrace-pattern-language/dpl-architect