Events-log4j-parser

From NovaOrdis Knowledge Base
Revision as of 16:45, 2 September 2017 by Ovidiu (talk | contribs) (→‎Usage)
Jump to navigation Jump to search

Internal

Overview

A library that produces timed events from log4j logs.

GitHub

https://github.com/NovaOrdis/events-log4j-parser

Installation

Installs as a command line utility lg-<version>.zip.

TODO

./doc/Events log4j Parser TODO.docx.

Usage

lg [command] [command options] [query] <log-file1> [log-file2 ...]

The command is optional. When the command is missing, the implied command is "query", the given log file is parsed and the resulted events are matched against the query. Unless output filtering options are used, the events are displayed in their raw format, which is how they appear in the original log.

Commands:

  • help
  • version
  • describe - displays a description of the events produced as the result of the parsing.
  • time-gaps - identify time gaps in the log
  • count (-c) - display the number of events that match the query.
  • exclude (-x) - filter out the events that match the query, and only display those that do not match. This command is equivalent with the grep --invert-match (-v) option.

For more details about commands (procedures), see:

Events Processing (events-processing)

Query

The query filters the events that will displayed.

A query contains:

  • keywords
  • event properties
  • regular expressions

Keyword Query

The keyword query is by default case insensitive, unless ... is specified.

When multiple separate keywords are present in query, the query selects the union of events that contain each keyword.

blue red

will return all events that contain "blue" and all events that contain "red". Those events that contain both "blue" and "red" will be represented once in the returned set.

Note that:

blue red

and:

"blue red"

are different.

Keywords are matched against each property.

Event Property Query

Event property values can be queried using the following syntax:

property-name:exact-match

"Property query" and "field query" terms are currently used interchangeably.