Highlighted
Micro Focus Frequent Contributor
Micro Focus Frequent Contributor
371 views

Dynamic MultiLine Parser

Hello to the community,

I've to develop a FlexConn Parser for the following type of log:

HCPMID6001I  TIME IS 00:00:00 CST SATURDAY 11/24/12

12:00:00 AUTO LOGON  ***       LOGOPER  USERS = 16    BY VMUTIL                                                                    

12:15:01 USER DSC   LOGOFF AS  LOGOPER  USERS = 15    FORCED BY SYSTEM                                                             

23:58:00  * MSG FROM VMUTIL  : THE TIME IS NOW: 23:58:00 ON 24 Nov 2012                                                            

00:00:00                                                                                                                          

                                                                                                                                   

                                                                                                                                   

HCPMID6001I  TIME IS 00:00:00 CST SUNDAY 11/25/12

12:00:00 AUTO LOGON  ***       LOGOPER  USERS = 16    BY VMUTIL                                                                    

12:15:01 USER DSC   LOGOFF AS  LOGOPER  USERS = 15    FORCED BY SYSTEM                                                             

23:58:00  * MSG FROM VMUTIL  : THE TIME IS NOW: 23:58:00 ON 25 Nov 2012                                                            

00:00:00                                                                                                                           

My problem is that Event Date is only contained in the first line (HCPMID6001I  TIME IS 00:00:00 CST ) and, after that, the events have only the time field. In this case I need to store the Date info and use it when I read the following events merging togethere the stored Date and the read Time filed.

Moreover the events in a day could be one or more - till several hundred in some cases.

I thought a MultiLine Parser solution, but I've seen that this parser needs to be designed with a defined, static pattern between start.line and end.line whilst here I have a variable number of events (with different format) between start and end.

Do you know it is possible to design a Dynamic MultiLine parser in order to solve this case?

Are there another solution to store the Date Field Information and use it for the following events till we have a new Date event "HCPMID6001I  TIME IS 00:00:00 CST..." ?

Best regards and thank you for the availability,

A.Pistoni

Labels (2)
0 Likes
Reply
3 Replies
TriumphArc Absent Member.
Absent Member.

Re: Dynamic MultiLine Parser

Not sure if this would work, if you define the date and time in a different token, you can use "createTimeStamp(date,time)" to combine them back together into one field and arcsight will translate it back to epoch time format.

0 Likes
Reply
argovind1 Absent Member.
Absent Member.

Re: Dynamic MultiLine Parser

Hi,

Use extra process concept to deal these kind of logs.

Regards,

Arun Govindasamy

0 Likes
Reply
Micro Focus Frequent Contributor
Micro Focus Frequent Contributor

Re: Dynamic MultiLine Parser

Thank you Arun and PT for the support !!!
I'll proceed with the extrprocessor approach and I'll update the post asap.

Thanks again,

A.Pistoni

0 Likes
Reply
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.