How to handle logs separated by special characters(|,) in Drain about logparser HOT 8 CLOSED

The problem in my case is i have different log sources where most of them are space separated while some of them have these special characters like pipe or comma separated. Is there any way i can handle this at runtime which works for all kind of patterns?

Also for my second query, Same pattern log, can you comment on how to make it same template group?

from logparser.

You could define different delimiters for different log sources. Another option is to define multiple delimiters:

# delimiters for white space, "=", and ":"
delimiters = '=|:|\s+'
wordL = re.split(delimiters, logmessage.strip())

For the same pattern log with extra tokens, you could merge different templates/log groups by comparing the template strings. If two templates are similar, their corresponding groups could be merged into one group.

from logparser.

Hi @PinjiaHe ,

For the same pattern log with extra tokens case.... Can you please help me on how to merge different templates/log groups by comparing the template string
For instance:

1. A=a B=b C=c D=d(length 4)
2. A=a' a B=b' b C=c' c D=d' d(length 8)

The above 2 log lines belong to different first layer node length 4 and length 8 respectively. What part of code should we modify to handle these cases? As per my understanding we create the first layer based on token and later look for templates matching the log line and create if it isn't existing. But we search for template in same bucket of first layer node and not all the buckets to improve performance.

Appreciate your help in this :)

from logparser.

But we search for template in same bucket of first layer node and not all the buckets to improve performance.

Right, but if you want to merge two groups, you need to add some code to link two groups to a single group (i.e., add another layer). In this case, they will output the same template. This may need some coding effort. We have implemented similar methods in

If all your logs are in the format of "A=a B=b ...", we would suggest finding "A, B, ..." first by inspecting word frequency.

from logparser.

Hi @PinjiaHe
Thanks for the reply. Is there any doc which explains what exactly is done in DrainJournal? Also why was this approach of getting a similar cluster not done in Drain as compare to DrainJournal... Was there any performance cost or some logical issue?

from logparser.

A draft could be found here.

We did not implement it in Drain (ICWS17) because most of the logs we encountered can be handled without merging the groups. Additionally, it's possible for the merging mechanism to wrongly merge two groups, leading to other parsing errors. Thus, a suitable parameter is important.

from logparser.

Thanks @PinjiaHe . I shall try out the suggestions you have given against my log files and see how it goes. One last query i have is that currently creates a new Root Node and new logCluL for each log file. Is there any way where we can make it global and have one root node and maintain 1 logCluL for all the logs and log files we parse through Drain?

from logparser.

The easiest way is to merge the log files first.

You could also modifier the log_to_dataframe method to let it accept a list of file names as parameters, and read them all.

from logparser.