Solved: Re: Parse Multiline Log

MarcioKaue · ‎14 Nov 2023

Hello,

We are facing a problem parsing log lines where we understand that the root cause is due to the data being multiline.

Below is an example log:

2023-02-31 11:51:28,988 - INFO - Prediction Output: class0_proba=0.00 class1_proba=0.00
INFO: 0.0.0.0:12345 - "POST /api/v1/model/string/predict HTTP/1.1" 200 OK

We would like to parse the Status Code information but it is not being effective:

fetch logs
| filter contains(content, "POST")
| parse content, "LD 'HTTP/1.1\"' LD:httpcode "

In a log that is not multiline this parse works correctly. Does anyone have any idea how we can extract this information?

sinisa_zubic · ‎14 Nov 2023

Hi @MarcioKaue

The reason why is because LD is only matching one single line. You have to use the DATA matcher, which is the multiline matcher.

| parse content, """DATA 'HTTP/1.1\" ' INT:httpcode"""

Best,
Sini

MarcioKaue · ‎14 Nov 2023

Thanks @sinisa_zubic , it worked perfectly!

MarcioKaue · ‎14 Nov 2023

@sinisa_zubic ,Can we also get other fields using DATA?

Example get status code and API name "/api/v1/model/string/predict"

sinisa_zubic · ‎14 Nov 2023

yes you can

| parse content, """DATA '"' ALPHA:method ' ' LD:apiName ' HTTP/1.1\" ' INT:httpcode"""

If you are new to the Dynatrace Pattern Language, I would suggest that you check out those two resources

https://www.dynatrace.com/news/blog/speed-up-your-security-investigations-with-dpl-architect/

https://docs.dynatrace.com/docs/platform/grail/dynatrace-pattern-language/dpl-architect