1. Using Oracle Log Analytics
  2. Administer Oracle Log Analytics
  3. Create a Parser
  4. Manual Creation of the Regex Type Parser

Manual Creation of the Regex Type Parser

If you’ve identified the parser expression for your logs, then click on the Manual tab.

WARNING:

For Regex Type, after you’ve selected the Manual mode to create the parser, you can’t change to the Guided mode.

  1. In the Parser field, enter the parser name. For example, enter Database Audit Log Entries.

    Provide suitable description to the parser for easy identification.

  2. In the Example Log Content field, paste the contents from a log file that you want to parse, such as the following: 

    Tue May  6 23:51:23 2014
LENGTH : '157'
ACTION :[7] 'CONNECT'
DATABASE USER:[3] 'sys'
PRIVILEGE :[6] 'SYSDBA'
CLIENT USER:[8] 'user1'
CLIENT TERMINAL:[0] ''
STATUS:[1] '0'
DBID:[9] '592398530'

Tue May  6 23:51:23 2014 +08:00
LENGTH : '157'
ACTION :[7] 'CONNECT'
DATABASE USER:[3] 'sys'
PRIVILEGE :[6] 'SYSDBA'
CLIENT USER:[8] 'user1'
CLIENT TERMINAL:[0] ''
STATUS:[1] '0'
DBID:[9] '592398530'

    Select the Handle entire file as a single log entry check box, if required. If you do, then you might want to consider selecting the check box Enable raw-text searching on this content. This option enables you to search the log records with the Raw Text field. When enabled, you can view the original log content with the raw text.

  3. In the Parse Expression field, enter the expression with delimiters.

    The parse expression is unique to each log type and depends on the format of the actual log entries. In this example, enter:

    \w+\s+(\w{3})\s+(\d{1,2})\s+(\d{2})\:(\d{2})\:(\d{2})\s+(\d{4})(?:\s+([+-]\d{2}\:?\d{2}))?.*

    Note:

    • Oracle Log Analytics also lets you parse the local time and date available in the log files by using the TIMEDATE expression format.

      So for those logs that use the TIMEDATE expression format, the preceding parse expression should be written as: 

      {TIMEDATE}\s+(\d{1,2})\s+(\d{2})\:(\d{2})\:(\d{2})\s+(\d{4})(?:\s+([+-]\d{2}\:?\d{2}))?.*

    • If some log events don’t have a year assigned in the log, then Oracle Log Analytics assigns the year to those events.

    • If the time and date are not specified in the parser for a log file that’s parsed as a single log record, then the last modified time of the log file is considered by Oracle Log Analytics to obtain the corresponding data. Note that the date and time data can be obtained only for the log files that’re sourced through the agent and not for the log files that’re uploaded on-demand.

    Note:

    • Don’t include any spaces before or after the content.

    • If you’ve included hidden characters in your parse expression, then the Create Parser interface issues an error message:

      Parser expression has some hidden control characters.

      To disable this default response, uncheck the Show hidden control characters check box when the error message appears.

    To learn more about creating parse expressions, see Sample Parse Expressions.

  4. Select the appropriate Log Record Span.

    The log entry can be a single line or multiple lines. If you chose multiple lines, then enter the log record’s start expression.

    In the example, the start expression can be:
    \w+\s+(\w{3})\s+(\d{1,2})\s+(\d{2})\:(\d{2})\:(\d{2})\s+(\d{4})

    Optionally, you can enter the end expression too. Use End Expression to indicate the end of the log record. When a log record is written to the file in multiple chunks and you want the agent to pick up the complete log record that includes all the chunks, use the end regex. The agent waits till the end regex pattern is matched to collect the log record. The same format rules apply for the end expression as that of Entry Start Expression.

    If you’ve selected Multiple Lines as the Log Record Span, then you can select Handle entire file as a single log entry. This option lets you parse an entire log file as a single log record. This is particularly useful when parsing log sources such as Java Hotspot Dump logs, RPM list of packages logs, and so on.

  5. In the Fields tab, select the relevant type for each component of the log entry.

    For each component, select the name. The first component in the example can be entered as follows:

    • Field Name: Month (Short Name)

    • Field Data Type: STRING

    • Field Description: Month component of the log entry time as short name, such as Jan

    • Field Expression: (\w{3})

    When you hover on a field name, an information icon appears. Hovering on the icon displays the description of the field in a floating window.

  6. In the Functions tab, click Add to optionally add a function to pre-process log events. See Preprocess Log Events.

  7. Click the Parser Test tab to view how your newly created parser extracts values from the log content.

    You can view the list of events that failed the parser test and the details of the failure.

Click Save to save the new parser that you just created.

To abort creating the parser of regex type and to switch to creating a JSON type parser, under Type, select JSON.