I'm running into a problem where some events are parsed in the middle versus from the beginning of the string. For the below data, I received the following
logMsgType: dTrace
logMsgType: d],DD.DTO.Users.GetUserInfoResponse],
logMsgType: dTrace
Why is the second line starting in the middle of the event instead of the first character?
Log.txt:
dTrace DDCDI1MSVC201_DD.DTO.Users.GetUserInfoResponse GetOne(System.String) 9:00:17 AM.018 2016-4 -21 [124] w3wp 36020 DD.Common.Logging.Infrastructure.LogManager DD.Common.Logging.Infrastructure.ILogManager.Log 0 0.0.0.0 0.0.0.0 {TAG:DD1FE36020VINT>6A2A0A0A.443} {CTX:0} : N/A Exit returned GD.DTO.Users.GetUserInfoResponse at 9:00:17 AM
dTrace DDCDI1MSVC201_DD.DTO.Users.GetUserInfoResponse Execute[Nullable`1,GetUserInfoResponse](DD.DAL.DBContext.UserProfileEntities, System.Func`2[System.Nullable`1[System.Guid],DD.DTO.Users.GetUserInfoResponse], System.Nullable`1[System.Guid]) 9:00:17 AM.018 2016-4 -21
dTrace DDCDI1MSVC201_DD.DTO.Users.GetUserInfoResponse GetOne(System.String) 9:00:17 AM.018 2016-4 -21 [124] w3wp 36020 DD.Common.Logging.Infrastructure.LogManager DD.Common.Logging.Infrastructure.ILogManager.Log 0 0.0.0.0 0.0.0.0 {TAG:DD1FE36020VINT>6A2A0A0A.441} {CTX:0} : N/A Enter at 9:00:17 AM
props.conf:
[customparse]
DATETIME_CONFIG = /etc/apps/search/local/datetime.xml
NO_BINARY_CHECK = true
category = Custom
disabled = false
pulldown_type = true
KV_MODE = none
EXTRACT-m = ^(?<logMsgType>d[^ ]+) +(?<domain>.+?) (?<time>\d{1,2}:[0-5]\d:[0-5]\d (?:A|P)M)\.(?<time_milliseconds>\d{3}) (?<date>\d{4}-\d{1,2} ?-\d{1,2} ?) (?<threadId>\[[^\]]*\]) (?<processName>[^ ]+) +(?<processId>\d+) (?<moduleName>[^ ]+) +(?<methodName>[^ ]+) +(?<errorCode>\d+) +(?<clientIp>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}) +(?<serverIp>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}) +(?<message>.*)(?<exception>\n(\>[^\n]+\n)*)?
MAX_TIMESTAMP_LOOKAHEAD = 50
SHOULD_LINEMERGE = true
TIME_PREFIX = ^d[^ ]+ +.+?(?= \d{1,2}:[0-5]\d:[0-5]\d (?:A|P)M)
datetime.xml:
<datetime>
<define name="ddtimestamp" extract="hour, minute, second, ampm, subsecond, year, month, day">
<text>(\d{1,2}):([0-5]\d):([0-5]\d) (AM|PM)\.(\d{3}) (\d{4})-(\d{1,2}) ? -(\d{1,2}) ?</text>
</define>
<timePatterns>
<use name="ddtimestamp"/>
</timePatterns>
<datePatterns>
<use name="ddtimestamp"/>
</datePatterns>
</datetime>
... View more