Log file splitter
The Generic Annotation Insight® Pack contains Rule Sets that can be used to split incoming log files.
These are:
Generic-dateTime-Split
(default)Generic-timeOnly-Split
Each Rule Set splits a log based on each line having either a time stamp or a date and time stamp.
The Generic-dateTime-split
splitter
splits log records using the date and time stamp of the log file.
If the log file does not have year format that the splitter can interpret
in the log records, the splitter adds a year value based on the IBM® Operations Analytics Log Analysis server
system time. The Index Configuration must be updated to reflect this
action.
The Generic-timeOnly-split
splitter
splits log records using only the time stamp in the log record. Where
the log file does not have a date in the log records that can be interpreted
by splitter, the current date value set for the IBM Operations Analytics Log Analysis serveris
used. The format MM/dd/yyyy
is inserted before the
format of the time. The Index Configuration must be updated to reflect
this action.
The splitters provided with the Insight Pack are described here as a reference for users.
- DateTime splitter
- The dateTime splitter recognizes all supported timestamp formats. The timestamp must have a date and a time. If the year is missing from the date, the current year will be appended to the front of the timestamp. You must modify the index configuration with the proper timestamp format for the splitter to function properly.
- TimeOnly splitter
- The timeOnly splitter recognizes all supported time formats. The timestamp must have a time and must not have a date. The splitter will append the current date to the front of the timestamp in the format MM/dd/yyyy. You must modify the index configuration with the proper timestamp format for the splitter to function properly.
- NormalizedMonthFirst splitter
- The splitter assumes a purely numeric date (for example, 07/08/09) is in the format MM/dd/yy. The timestamp must have a time, and may have an optional date. The date may have an optional year. If the date or year is missing, the current date or year is substituted. The NormalizedMonthFirst splitter outputs the timestamp in a normalized format. As a result, the index configuration does not need to be modified with the timestamp format.
- NormalizedDayFirst splitter
- The splitter assumes a purely numeric date (for example, 07/08/09) is in the format dd/MM/yy. The timestamp must have a time, and may have an optional date. The date may have an optional year. If the date or year is missing, the current date or year is substituted. The NormalizedDayFirst splitter outputs the timestamp in a normalized format. As a result, the index configuration does not need to be modified with the timestamp format.
- NormalizedYearFirst splitter
- The splitter assumes a purely numeric date (for example, 07/08/09) is in the format yy/MM/dd. The timestamp must have a time, and may have an optional date. The date may have an optional year. If the date or year is missing, the current date or year is substituted. The NormalizedYearFirst splitter splitter outputs the timestamp in a normalized format. As a result, the index configuration does not need to be modified with the timestamp format.