Mappings
The OS agent uses mappings to determine the event class for a system log message. The agent determines the event class by matching the message to a pattern in the format file.
The agent converts log messages to event class instances that contain attribute
name=value
pairs. The event is then sent to the event server.
The agent determines the event class for a system log message at the source. The agent determines the event class by matching a system log message to a pattern in the format file. After you use this matching procedure to determine a class, you must assign values to the attributes.
Attribute values come from various sources, such as:
- Default values that are provided by the agent
- Log text that matches specific subexpressions in regular expressions
A map statement is included in the format file and consists of the following syntax:
name value CustomSlotn
Here, you specify any identifier to describe the name
of
a slot (also known as a variable, attribute, or value identifier).
Then, you specify a value to assign to this slot by applying any of
the values that are described in Value specifiers.
Use custom slots to view data in the Performance Management console and to define thresholds.
When you create thresholds, all custom slot values are strings. Custom slots are also required for
duplicate detection to work because you must identify the slots that are used to determine
duplicates. For more information about filtering events, see Event filtering and summarization. msg
is a special slot name, with its own
attribute in the event table. You do not need to use a custom slot for the msg
.
-name value
Any slot that you define in this way is not included in the final
event. However, you can reference the slot elsewhere in the format definition, specifically within a
PRINTF
statement. In the REGenericSyslog
example that follows, the
service
slot is not included if you generate but you can reference it in the
PRINTF
statement. It retains the same value that was applied to the original slot
when it was defined without the dash. By using this procedure, you can use temporary variables from
the format definition that are not included in the final event. For example, you can define an event
class, REGenericSyslog
, to match generic UNIX
syslog events in the following way:
REGEX REGenericSyslog
^([A-Z][a-z]{2}) ([ 0-9][0-9]) ([0-9]{2}:[0-9]{2}:[0-9]{2}) (.*?) (.*?): (.*)$
month $1
date $2
time $3
host $4
-service $5
msg $6
syslog_msg PRINTF("service %s reports %s", service, msg)
END