Post processing trace statements.

 

After doing log analysis for a project for a while you will start identifying the key trace statements. These are statements that you will search in most of your logs. If you are using my log analyzer (log parser)  tool your will have a rule for each of the key trace statements.

   You will also notice that some of those statements are not “user friendly”. Maybe they report the execution of a function or method. Or provide too much information. Or you just don’t like the words being used.

    At the end of the day your index could have entries like these:

 1385 -> Apr 8 16:55:15 MiniPaquina : Kernel::Boot( 3.0.0-17-generic).

 1834 -> SNR: sBlock.getState() = 1

 5014 -> 15.219.169.69 – - [04/Apr/2012:18:51:27 -0700] “GET /downloads/LogAnalyzer.zip HTTP/1.1″ 200 5555533 “-” “Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; InfoPath.2)”

   But you will prefer to “change” them to something like:

 1385 -> Turning on at Apr 8 16:55:15.

 1834 -> Obstacle ahead !

 5014 -> Downloading: LogAnalyzer.zip

   The best way to make this happen is to change the trace statements on the source code. Unfortunately this in not always possible. Maybe because you are not the owner of that component or because the statement is generated automatically or because it is safer to report all the information and allow the user of the log to select the relevant portion.

    An alternative for this cases (if you are using the log analyzer) is to use the “format” element of each rule to create your own output that combines portions of the original line with your own strings. Lets explore this option with an example.

   If the line to find is:

 5014 -> 15.219.169.69 – - [04/Apr/2012:18:51:27 -0700] “GET /downloads/LogAnalyzer.zip HTTP/1.1″ 200 5555533 “-” “Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; InfoPath.2)”

   And the patterns are:

 [- - []

["] GET /downloads/]

[HTTP/]

    Then the variables are:

 <$0> = [15.219.169.69]

<$1> = [04/Apr/2012:18:51:27 -0700]

<$2> = [LogAnalyzer.zip]

<$3> = [.1" 200 5555533 "-" "Mozilla/4.0 ...]

    If we define the format as:

 Download <$2> to <$0> at <$1>.

    The index will show:

 5014 -> Download LogAnalyzer.zip to 15.219.169.69 at 04/Apr/2012:18:51:27 -0700

    Now lets take a closer look to the format field:

  • Strings outside of <> will be printed directly to the output.

  • Strings with <$n> format will be replaced with contents of variable n.

   You can learn more about the log parser (or log analyzer) or even download if for a 30 day free trial and try this method.

This entry was posted on Thursday, August 8th, 2013 at 6:37 pm and is filed under LogAnalyzer. You can follow any responses to this entry through the RSS 2.0 feed. Both comments and pings are currently closed.

Comments are closed.