Parsing a whole log file may take a long time depending on the size of the file. If it is known that only a certain group of records is required to be analyzed, it would be useful to only parse those records of interest. This can be done by adding a filter to the Sensor or Extractor component in the adapter so filtering of log records can occur as they are read or extracted instead of after they are parsed into Common Base Events.
A filter is added to the component with the filter and filterExitClass properties. For a description of these properties, refer to the Extractor Properties. For static adapters the filter properties are added to the StaticParserSensor. For rules-based adapters the filter properties are normally added to the Extractor so that filtering occurs on complete records. However, a custom filter exit class could be created that will filter lines read from the log by the Sensor. In that case the filter properties are added to the Sensor.
If the filter property is added to the component but the filterExitClass property is not added, a default filter exit class will be used that expects a regular expression as the filter property value. Specific filter exit class implementations are available for each of the log parsers included in TPTP for filtering by severity and time. Here are the filter exit class names:
| Log Type | Filter Exit Class |
|---|---|
| Apache Access | org.eclipse.hyades.logging.parsers.util.ApacheAccessLogFilterExit |
| Apache Error | org.eclipse.hyades.logging.parsers.util.ApacheErrorLogFilterExit |
| Common Base Event XML | org.eclipse.hyades.logging.parsers.util.CommonBaseEventXMLLogFilterExit |
| Java logging XML | org.eclipse.hyades.logging.parsers.util.JavaLoggingXMLLogFilterExit |
| Windows Event | org.eclipse.hyades.logging.parsers.util.WindowsEventLogFilterExit |
For these filter exit classes, the filter property value must be an XPATH expression based on the CommonBaseEvent severity and creationTime properties. Below are some sample XPATH filter expressions:
| Filter value | Description |
|---|---|
| /CommonBaseEvent[@severity > '10'] | severity greater than Information level |
| /CommonBaseEvent[(StrTools:strcmp(@creationTime, '2006-07-17T11:17:21.000000-05:00') >= 0)] | times greater than or equal to 2006-07-17T11:17:21.000000-05:00 |
| /CommonBaseEvent[(StrTools:strcmp(@creationTime, '2006-07-17T11:17:21.000000-05:00') >= 0) and (StrTools:strcmp(@creationTime, '2006-07-17T12:00:00.000000-05:00') < 0)] | times greater than or equal to 2006-07-17T11:17:21.000000-05:00 and less than 2006-07-17T12:00:00.000000-05:00 |
Parent topic: Stand-alone Generic Log Adapter User's Guide
Copyright © 2006 IBM Corporation. All rights reserved. This document and the accompanying materials are made available under the terms of the Eclipse Public License v1.0 which is available at http://www.eclipse.org/legal/epl-v10.html