FAQ
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Parse multiple entries in quotes

S_Hadley1138
Contributor

‎25 Jan 2024 03:48 PM

Just a follow up on this one...  but slightly different question, @sinisa_zubic as you are clearly a wizard in this area......

Solved: simple csv event log parse - Dynatrace Community

So IF i have some lines in my log with multiple entries, but not all...  for example

2024-01-11T13:23:02.578Z,192.168.0.100,Server1,Tree,Green,Warning
2024-01-11T13:24:06.345Z,192.168.0.103,Server2,Bush,DarkGreen,Alert
2024-01-11T13:27:04.543Z,192.168.0.103,Server2,Road,"Grey,Yellow,White",Alert
2024-01-11T13:28:03.345Z,192.168.0.178,Server5,Path,Black,Bannana

how would I get the this to parse, as the 3rd line has multiple entries in the 5th field, comma separated, but encapsulated in "".  the way you showed me wont work as the Colour field is also csv, but in quotes?

JSONTIMESTAMP*:timestamp_parsed ','

IPV4ADDR*:clientip ','

LD*:clienthostname ','

LD*:object ','

(Array{LD*:i ('"' | >>',')}{1,}:Colour)? '",'

LD*:status

any guidance would be appreciated

Labels:
0 Kudos
Reply
1 REPLY 1

krzysztof_hoja
Dynatrace Advisor
Dynatrace Advisor

‎25 Jan 2024 07:29 PM

I would do it in 2 steps:
- as 5th field can be just string or quoted string, alterative comes in handy like in previous exercise. There are ready to use DPL matchers for quoted strings: https://docs.dynatrace.com/docs/platform/grail/dynatrace-pattern-language/log-processing-lines-strin... like DQS I used. Please not that order matters.
- when we have color or multiple colors captured in color field, it can be split into array using splitString function

data record(c="2024-01-11T13:23:02.578Z,192.168.0.100,Server1,Tree,Green,Warning"),
record(c="2024-01-11T13:24:06.345Z,192.168.0.103,Server2,Bush,DarkGreen,Alert"),
record(c="2024-01-11T13:27:04.543Z,192.168.0.103,Server2,Road,\"Grey,Yellow,White\",Alert"),
record(c="2024-01-11T13:28:03.345Z,192.168.0.178,Server5,Path,Black,Bannana"),
record(c="2024-01-11T13:28:03.345Z,192.168.0.178,Server5,Path,,Nothing")
| parse c, "JSONTIMESTAMP*:timestamp_parsed ',' IPV4ADDR*:clientip ',' LD*:clienthostname ',' LD*:object ',' (DQS*:color|LD*:color) ',' LD*:status"
| fieldsAdd color=splitString(color,",")

Result looks like this:

krzysztof_hoja_0-1706210841982.png

 




Reply
Ask a question

Featured Posts