Highlighted
Absent Member.
Absent Member.
554 views

sdkkeyvaluefilereader question

Jump to solution

Hi all,

Apologies if it looks like I am asking simple questions, though I have read as much documentation as possible to no avail.

Basically, I am trying to get an sdkkeyvaluefilereader working with a custom event that is appearing in the Windows Application Log. The event itself is from a bespoke application.

Havnig looked at the raw events on the logger, all I see is Key[0] and then a long string of characters. An example would be:

Key[0]=User: bob opened file\nbob read 7 words

This is an example from the top of my head at present.

What I need to do is extract bob from User: bob (should be easy enough for that one), and then for the message (later) extract bob read 7 words (from the next line).

This is definately where I am stumbling.

Grateful is someone managed to get an example working with only one event in the Key array.

Just, as an aside (and in addition), would like to thank Steven Vanderbraak for posting his wonderful example with regard to Windows Exchange Audit Log.

Thanks for any help or advice that could be given.

Phil Williams

Labels (3)
0 Likes
Reply
1 Solution

Accepted Solutions
Highlighted
Absent Member.
Absent Member.

A couple of things you might try:

Use submessages if possible. These let you grab a token and chop it into multiple other tokens using regex.

It may not work in this instance, but a similar but much more simplistic option would be to use the __regexToken operator. It will do basically the same thing, but instead of chopping a big token into many small tokens, you only get one smaller token out of it. Sort of like a substring. If you need multiple parts pulled out, you could try using this operator more than once.

If all you are concerned with is the fact that it looks like data is on two different lines, i believe that's not much of a problem because the parser will read the token as one long line (IIRC).

Also, if your demo only works on a single log entry then you may want to look into parsing differently. Something you could do is actually use a windows unified connector in this case and then set up a parsing file that ONLY opperates on exchange logs. In the end the process is almost identical to creating a flex connector, but your sub parser is only going to try to fire on the particular log type that you want, instead of trying to fire on every log.

I hope this helps.

View solution in original post

0 Likes
Reply
1 Reply
Highlighted
Absent Member.
Absent Member.

A couple of things you might try:

Use submessages if possible. These let you grab a token and chop it into multiple other tokens using regex.

It may not work in this instance, but a similar but much more simplistic option would be to use the __regexToken operator. It will do basically the same thing, but instead of chopping a big token into many small tokens, you only get one smaller token out of it. Sort of like a substring. If you need multiple parts pulled out, you could try using this operator more than once.

If all you are concerned with is the fact that it looks like data is on two different lines, i believe that's not much of a problem because the parser will read the token as one long line (IIRC).

Also, if your demo only works on a single log entry then you may want to look into parsing differently. Something you could do is actually use a windows unified connector in this case and then set up a parsing file that ONLY opperates on exchange logs. In the end the process is almost identical to creating a flex connector, but your sub parser is only going to try to fire on the particular log type that you want, instead of trying to fire on every log.

I hope this helps.

View solution in original post

0 Likes
Reply
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.