This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
FAQ
DQL
Questions about Dynatrace Query Language
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Why is this so hard -- Simple log parsing

Go to solution
jim_hinze
Visitor

‎25 Jun 2026 09:46 PM - last edited on ‎26 Jun 2026 07:30 AM by Community Team

Sometimes this works, sometimes it does not.... and quite frankly, the documentation is not helpful. Here is a log entry:

Jun 25 15:31:20 HOSTNAME CEF:0|Netwrix|Activity Monitor|9.0.1477|Windows File SystemReadTrueFalse|FileMonitor|3|rt=2026-06-25 15:31:20.431 sntdom=MYDOMAIN suser=MYDOMAIN\asmith src=192.168.241.12 duser=C:\cycfgvol1\DEMProfile10\asmith\Desktop\MyCo Service Portal.lnk shost=MYCONETNAS01 msg=Policy Name= FileMonitor Object Class= Success= True Blocked= False Attribute Name= New Attribute Value= Old Attribute Value= Operation= Read

The part that is bold and underlined is what I want to extract. Below is the DQL query I'm presently attempting to use (I get null values)

fetch logs
| parse content,"'duser= ' ALNUM:fPath 'shost="
| filter ((matchesValue(dt.ingest.source.ip, "192.168.2.88")))

I've also tried:

fetch logs
| parse content,"LD:text 'duser= ' LD{0,255}:thread1 'shost='"
| filter ((matchesValue(dt.ingest.source.ip, "192.168.2.88")))

 

and the weird part, parsing another string out of the log line, this works...

fetch logs
| parse content, "LD:text '|Windows File' LD{0,100}:PureCommand '|'"
| fields PureCommand, dt.ingest.source.ip, content
| filter ((matchesValue(dt.ingest.source.ip, "10.20.11.88")) )

 

Ideally, I would like to extract both fields in the same DQL query. 

P.S. - if anyone has a "real" source of documentation for parse and DPL I'd be very interested in it... the 2 pages in the official doc's are sorely lacking.

 

Thank you in advance.

 

Labels:
0 Kudos
Reply
3 REPLIES 3

Go to solution
jim_hinze
Visitor

‎25 Jun 2026 10:35 PM

Update...

This works

fetch logs
| parse content, """LD 'duser=' LD:test 'shost='"""

 

Next question, if I wanted to parse out part of the path returned, how do I escape the '\'

The following doesn't work

fetch logs
| parse content, """LD 'duser=c:\\cycfgvol1\\' LD:test 'shost='"""

0 Kudos
Reply

Go to solution
Julius_Loman
DynaMight Legend
DynaMight Legend

‎25 Jun 2026 10:39 PM

Use DPL architect (click on extract fields).
Probably you want something this (use any line data for duser value, extract into duser field until shost= is found:

| parse content, """LD 'duser=' LD:duser ' shost='"""

 

 

Dynatrace Ambassador | Alanata a.s., Slovakia, Dynatrace Master Partner
Reply

Go to solution
GerardJ
Pro

‎26 Jun 2026 07:14 AM

Maybe you can try with this approach, extracting the fields with DPL, then parse the path with DQL

| parse content, """LD '|Windows File' LD:PureCommand '|' LD "duser=" LD:path "shost=""""
| fieldsAdd pathArray=splitString(path, "\\")
| fieldsAdd pathElement2=pathArray[2], fileName=arrayLast(pathArray)
Gerard
Reply
Ask a question

Featured Posts