Log file splitter

The Generic Annotation Insight® Pack contains Rule Sets that can be used to split incoming log files.

These are:

  • Generic-dateTime-Split (default)
  • Generic-timeOnly-Split

Each Rule Set splits a log based on each line having either a time stamp or a date and time stamp.

The Generic-dateTime-split splitter splits log records using the date and time stamp of the log file. If the log file does not have year format that the splitter can interpret in the log records, the splitter adds a year value based on the IBM® Operations Analytics Log Analysis server system time. The Index Configuration must be updated to reflect this action.

The Generic-timeOnly-split splitter splits log records using only the time stamp in the log record. Where the log file does not have a date in the log records that can be interpreted by splitter, the current date value set for the IBM Operations Analytics Log Analysis serveris used. The format MM/dd/yyyy is inserted before the format of the time. The Index Configuration must be updated to reflect this action.

The splitters provided with the Insight Pack are described here as a reference for users.

DateTime splitter
The dateTime splitter recognizes all supported timestamp formats. The timestamp must have a date and a time. If the year is missing from the date, the current year will be appended to the front of the timestamp. You must modify the index configuration with the proper timestamp format for the splitter to function properly.
TimeOnly splitter
The timeOnly splitter recognizes all supported time formats. The timestamp must have a time and must not have a date. The splitter will append the current date to the front of the timestamp in the format MM/dd/yyyy. You must modify the index configuration with the proper timestamp format for the splitter to function properly.
NormalizedMonthFirst splitter
The splitter assumes a purely numeric date (for example, 07/08/09) is in the format MM/dd/yy. The timestamp must have a time, and may have an optional date. The date may have an optional year. If the date or year is missing, the current date or year is substituted. The NormalizedMonthFirst splitter outputs the timestamp in a normalized format. As a result, the index configuration does not need to be modified with the timestamp format.
NormalizedDayFirst splitter
The splitter assumes a purely numeric date (for example, 07/08/09) is in the format dd/MM/yy. The timestamp must have a time, and may have an optional date. The date may have an optional year. If the date or year is missing, the current date or year is substituted. The NormalizedDayFirst splitter outputs the timestamp in a normalized format. As a result, the index configuration does not need to be modified with the timestamp format.
NormalizedYearFirst splitter
The splitter assumes a purely numeric date (for example, 07/08/09) is in the format yy/MM/dd. The timestamp must have a time, and may have an optional date. The date may have an optional year. If the date or year is missing, the current date or year is substituted. The NormalizedYearFirst splitter splitter outputs the timestamp in a normalized format. As a result, the index configuration does not need to be modified with the timestamp format.