This documentation and the Cisco Observability Platform functionalities it describes are subject to change. Data saved on the platform may disappear and APIs may change without notice.
logs:logParsingRule
Description
Defines a parsing rule to apply to log messages which match the rule scope.
Syntax
{
"uniqueName": "<string>",
"displayName": "<string>",
"description": "<string>",
"parseMethod": "<string>",
"parserType": "<string>",
"parsingPattern": "<string>",
"timestampField": "<string>",
"timestampPattern": "<string>",
"ruleScope": "<string>",
"delimiterChar": "<string>",
"parsedFields": "<array>",
"isEnabled": "<boolean>"
}
Attributes
| Attribute | Description |
|---|---|
uniqueName |
Required. Name of the parsing rule. Can contain alphanumeric characters, underscores, hyphens, or periods only. Maximum of 128 characters. Must be unique within a solution or Tenant. |
displayName |
Required. Name of the parsing rule as it appears in the user interface. Can contain alphanumeric characters, underscores, dashes, or periods only. Maximum of 64 characters. |
description |
Description of the parsing rule. Maximum of 512 characters. |
parseMethod |
Required. Method of parsing to use for this rule. Valid values: "PARSERS", "DELIMITER". |
parserType |
Type of parser to use for this rule. Valid values: "GROK", "JSON", "LOG4J", "LOGBACK", "INFRA_LOG", "TIMESTAMP", "APACHE", "ELB", "NGINX", "ALB", "KAFKA", "SQLSERVER", "POSTGRESQL", "MYSQL", "ZOOKEEPER", "REDIS", "AWSS3ACCESS", "HAPROXY". |
parsingPattern |
Sample log message pattern for validation based on parserType. Minimum length: 1 character. Maximum length: 1024 characters. If parserType is "JSON" or "INFRA_LOG", the back end doesn't support parsingPattern.If you set parserType to any type that has a predefined pattern (i.e. "APACHE", "ELB", "NGINX", "ALB", "KAFKA", "SQLSERVER", "POSTGRESQL", "MYSQL", "ZOOKEEPER", "REDIS", "AWSS3ACCESS", "HAPROXY"), then the platform autopopulates parsingPattern with a predefined GROK pattern; you don't need to specify it. Predefined patterns are not editable. If you need to create your own pattern, set parserType to "GROK", "LOG4J", "LOGBACK", or "TIMESTAMP". |
timestampField |
Identifies the log message's timestamp field. Valid only if parserType is "JSON" or "GROK". For "JSON" if this attribute is missing, no timestamp is extracted from raw message. For "GROK" if this attribute is missing, default value 'timestamp' is considered. |
timestampPattern |
Specifies the pattern for the timestamp field. Valid only if parserType is "JSON" or "GROK". For "JSON" if this attribute is missing, no timestamp is extracted from raw message. For "GROK" if this attribute is missing, no timestamp is extracted from raw message. |
ruleScope |
Required. Specifies the criteria that log messages must match in order to be parsed with this rule. The criteria must be a valid log attribute. Maximum of 2048 characters. Syntax: "attribute(<attribute-name>) = '<value>'" You can also use &&, IN, and multivalued attributes. Examples: "attribute(k8s.namespace.name) = 'bofa-23-08'" "attributes(host.name)='appd_1' && attributes(service.name)='appd_2'" "attributes(host.name) IN ['appd_1', 'appd_2']" |
delimiterChar |
Required if parseMethod is "DELIMITER". Delimiter character for this parsing rule. Maximum length: 1 character. |
parsedFields |
List of named fields (fields that are extracted with a parsed value in a sequence based on this parsing rule). |
isEnabled |
Enables or disables this parsing rule. Valid values: "true", "false". |
Example
{
"isEnabled": true,
"ruleScope": "attributes(container.id)=container_appd_1",
"parserType": "LOG4J",
"uniqueName": "log4jvanilla",
"description": "Rule for parsing log4j messages.",
"displayName": "log4jvanilla",
"parseMethod": "PARSERS",
"parsedFields": [
{
"dataType": "STRING",
"fieldName": "message"
},
{
"dataType": "STRING",
"fieldName": "level"
}
],
"parsingPattern": "%d{yyyy-MM-dd HH:mm:ss} %-5p %c{1}:%L - %m%n"
}