Extraction and parsing commands
parse
Parses a record field and puts the result(s) into one or more fields as specified in the pattern.
The parse command works in combination with the Dynatrace Pattern Language for parsing strings.
Syntax
parse fieldName, pattern
Basic example
Example: Parse log content
The following example parses the content
field, which shows the content of a log line.
The parse
command adds the parsed fields to the set of fields of the record.
data record(content="117.16.75.9--[14/Mar/2016:23:34:25 +0200] GET//setup.php HTTP/1.1 404 474")| parse content, "IPV4:ip LD HTTPDATE:time ']' LD:text"
Query result:
content | ip | time | text |
---|---|---|---|
117.16.75.9--[14/Mar/2016:23:34:25 +0200] GET//setup.php HTTP/1.1 404 474 | 117.16.75.9 | 2016-03-14T21:34:25.000Z | " GET//setup.php HTTP/1.1 404 474" |
Practical example
Example: Apache access logs
In the following example, the parse
command extracts all the relevant fields from Apache access logs.
fetch logs| filter dt.entity.process_group == "PROCESS_GROUP-628E1D4CAD1B41B9"| fieldsKeep content| parse content, """(IPADDR:'http.client_ip' | [! \n]+):host' ' ('-' | NSPACE:ident)' ' ('-' | (DATA{1,8096}:auth >>(' [' HTTPDATE)))' ' '[' HTTPDATE:event_time ']'' ' (('\"' [A-Z-_]+:'http.method' ' ' LD{0,8096}:uri ' ' LD{3,10}:'http.flavor' '\"')| DQS:invalid_request)' ' LONG:'http.status_code'' ' (LONG:'http.response.content_length' | '-')(' ' DQS:referer (' ' DQS:user_agent)?)?"""| summarize count = count(), by: { http.status_code }
Added fields override existing fields
In case of identical names, fields added by the parse command override the existing fields. When two identical field names are specified in the DQL statement, a warning "The field <fieldName>
overrides an existing field." is returned.