Default data patterns

The following table lists the default data patterns available with the TrueSight IT Data Analytics product.

Viewing assistance

Press F to see this page in the full-screen mode, and press Esc to exit the full-screen mode.

Default data patterns

NameDate FormatPrimary pattern
Application
Hadoop
yyyy-MM-ddHH:mm:ss,SSS
%{HadoopTimestamp:timestamp}\s+
%{HadoopLevel:debuglevel}\s+
%{Data:component}:\s+
%{MultilineEntry:details}
Log4j
EEE MMM dd HH:mm:ss Z yyyy
%{Log4JTimestamp:timestamp}\s+:?\s+
%{MultilineEntry:details}
Application Server
Apache Tomcat
MMM dd, yyyy hh:mm:ss a
%{ApacheTomcatTimestamp:timestamp}\s+
%{Data:classname}\s+
%{Data:actiontype}(?:|\s+
%{Data:msgtype}:(?:%{Data:message1}
\[%{Uri:location}\]\.\s+%{Data:message2}
|\s%{MultilineEntry:details}))
IBM WebSphere - Activity
yyyy-MM-dd HH:mm:ss
[-]+\s*ComponentId:\s*
%{Data:componentid}\
s*ProcessId:\s*%{Data:processid}
\s*ThreadId:\s*%{Data:threadid}
\s*ThreadName:\s*%{Data:threadname}\
s*Alarm\s*:\s*%{Data:alarm}\s*SourceId:\
s*%{Data:sourceid}\s*ClassName:
%{Data:classname}\s*MethodName:
%{Data:methodname}\s*Manufacturer:\
s*%{Data:manufacturer}\s*Product:\s*
%{Data:product}\s*Version:\s*%{Data:version}
\s*ServerName:\s*%{Data:servername}\
s*TimeStamp:\s*
%{WsActivityTimestamp:timestamp}\
s*UnitOfWork:%{Data:unitofwork}\s*Severity:\
s*%{Data:severity}\s*Category:\s*
%{Data:category}\s*PrimaryMessage:\s*
%{Data:primarymessage}
\s*ExtendedMessage:\s*
%{Data:extendedmessage}\
s*[-]+(?:|%{MultilineEntry:details})
IBM WebSphere - SystemError
MM/dd/yy HH:mm:ss:SSS Z
\[%{IbmWebsphereTimestamp:timestamp}\]
\s%{Data:groupid}\sSystemErr\s+
%{Data:level}\s+
(?:at\s+%{GreedyData:class}\.
%{Data:function}\
((?:.*:%{Data:linenum}|.*)\)|
%{MultilineEntry:details})
IBM WebSphere - SystemOut
MM/dd/yy HH:mm:ss:SSS Z
\[%{IbmWebsphereTimestamp:timestamp}\]\s
%{Data:groupid}\s%{Data:component}\s+
%{Data:level}\s+%{MultilineEntry:details}
Microsoft SharePoint
dd/MM/yyyy HH:mm:ss.SS
%{SharepointTimestamp:timestamp}\s*\t
%{Data:processingfileinfo}\s*\t
%{Data:tid}\s*\t
%{Data:sharepoint}\s*\t
%{Data:category}\s*\t
%{Data:eventid}\s*\t
%{Data:tracelevel}\s*\t(?:|
%{MultilineEntry:details})
Oracle WebLogic
MMM dd, yyyy hh:mm:ss a z
[#]+<%{WeblogicTimestamp:timestamp}>
\s<%{Data:level}>
\s<%{Data:server}>\s<%{Data:data1}>
\s<%{Data:user}>
\s<%{Data:thread}>\s<%{Data:kernel}>
\s<%{Data:data2}>\s<%{Data:data3}>
\s<HostName:\s%{Ip:hostname},
\smaps\sto\smultiple\sIP\saddresses:
%{Data:ipaddresses}>
(?:|%{MultilineEntry:details})
Xen App Server
yyyy-MM-dd HH:mm:ss
%{SqlAgentTimestamp:timestamp},
%{PosInt:utc}\s+
%{MsgType:messagetype}\s+
%{MultilineEntry:details}
Database
IBM DB2 - Diagnostics
yyyy-MM-dd-HH.mm.ss.SSS
%{Db2Timestamp:timestamp}[0-9]{3}
(?:|\+%{PosInt:utcdiffminutes}|
%{UtcMinus:utcdiffminutes})\s+
%{Data:recordid}\s+
%{MultilineEntry:details}
Microsoft SQLServer
yyyy-MM-dd HH:mm:ss.SS
%{SqlTimestamp:timestamp}\s+
%{Data:component}\s+
%{MultilineEntry:details}
Microsoft SQLServer - Agent
yyyy-MM-dd HH:mm:ss
%{SqlAgentTimestamp:timestamp}\s+-?\s+
%{Data:loglevel}\s+
\[%{Data:resourceid}\]\s+
%{MultilineEntry:details}
MySQL - Error
yyMMdd HH:mm:ss
%{MysqlErrorTimestamp:timestamp}\s+
%{Data:message}\s*Version:
%{Data:version}\s+socket:\s*
%{Data:socket}\s+port:\s*
%{Port:portnumber}\s
%{MultilineEntry:details}
Oracle Database - Alert
EEE MMM dd HH:mm:ss yyyy
%{OracleDbAlertTimestamp:timestamp}\s*
%{MultilineEntry:details}
Oracle Database - XML
yyyy-MM-dd'T'HH:mm:ss.SSS
<msg\stime\='
%{OracleDbXmlTimestamp:timestamp}
[\-\+]%{ExtraDigits:_ignore}:
%{ExtraDigits:_ignore}'\s*
%{MultilineEntry:details}
Internal
ITDA
MMM dd, yyyy hh:mm:ss a
%{ITDATimestamp:timestamp}\s+
%{Data:class}\s+
%{Data:function}\(\):
%{Int:linenum}\s+\n*
(?:%{ITDADebugLevel:level}:\s*
%{MultilineEntry:details})?
ITDA Metrics
yyyy-MM-dd HH:mm:ss.SSS
\[%{ITDAMetricsTimestamp:timestamp}\]
\s\[%{Engine:engine}\]\s\
[%{Data:collectorid}\]\
s\[%{MultilineEntry:details}\]
Networking
Cisco Syslog
MMM dd yyyy HH:mm:ss
%{CiscoTimestamp:timestamp}:\s\%
%{TGenerator:generator}-%{PosInt:level}-
%{PosInt:messagenumber}:\s*
(?:|%{MultilineEntry:details})
F5 Load Balancer
MMM dd HH:mm:ss
%{F5LBDTimestamp:timestamp}\s+
%{Data:hostname}\s+
%{Data:eventtype}\s+
%{Data:userdata1}\s+
%{Data:userdata2}\s+
%{MultilineEntry:details}
Web Servers
Access Log - Combined
dd/MMM/yyyy:HH:mm:ss z

%{Data:info}\s%{IpOrHost:ip}\s%{NotSpace:rfc931}\s%{NotSpace:username}\s\[%{AccessCombinedTimestamp:timestamp}\]\s%{Data:request}\s%{PosInt:statuscode}\s%{PosInt:bytes}\s%{Data:referrer}\s%{AnyStringInQuotes:useragent}\s%{Data:cookie}(?:|%{MultilineEntry:details})

Access Log - Common
dd/MMM/yyyy:HH:mm:ss z
%{IpOrHost:ipaddress}\s+%{Data:rfc931}\s+
%{Data:username}\s+\
[%{AccessCommonTimestamp:timestamp}\]
\s+ "%{RequestType:type}\s+
%{GreedyData:imageurl}\s+
%{Data:protocol}" \s+
%{PosInt:statuscode}\s+
%{PosInt:size}
(?:|\s*%{MultilineEntry:details})
Apache Access
dd/MMM/yy:HH:mm:ss

%{IpOrHost:clientip} %{User:ident} %{User:auth} \[%{HttpTimestamp:timestamp}\] "%{Word:verb} %{UriPathParam:request} HTTP/%{Number:httpversion}" %{Number:response} (?:%{Number:bytes}|-) (?:"%{Uri:referrer}"|%{QuotedString:referrer}|"-") %{QuotedString:agent}(?: (?:%{Number:num1}|-) (?:%{Number:num2}|-))?

Apache Http Server - Error
yyyy-MM-dd HH:mm:ss
%{HttpdErrTimestamp:timestamp}\s+
%{Ip:cip}\s+%{Port:cport}\s+
%{Ip:sip}\s+%{Port:sport}\s+
%{HttpdErrCsVersion:csversion}\s+
%{HttpdErrCsMethod:csmethod}\s+
%{HttpdErrCsUri:csuri}\s+
(?:%{PosInt:csstatus}|-)\s+
(?:%{PosInt:ssiteid}|-)\s+
%{HttpdErrsReason:sreason}\s+
%{HttpdErrsSequence:ssequence}
Microsoft IIS
HH:mm:ss
%{MicrosoftIISTimestamp:timestamp}\s+
%{Ip:cip}\s+%{Data:csmethod}\s+
%{Data:csuristem}\s+
%{MultilineEntry:csstatus}
Microsoft IIS - Extended
yyyy-MM-dd HH:mm:ss
%{WsActivityTimestamp:timestamp}\s+
%{Data:sitename}\s+%{Ip:sip}\s+
%{Data:csmethod}\s+%{Data:csuristem}\s+
%{Data:csuriquery}\s+%{Port:sport}\s+
%{Data:csusername}\s+%{Ip:cip}\s+
%{Data:csuseragent}\s+%{Data:scstatus}\s+
%{PosInt:scsubstatus}\s+
%{MultilineEntry:scwin32status}
Others

Free Text

None

Note: The date-time stamp need not be a part of the event data as the product adds a timestamp to the events at the time of indexing. For more information, see the section on "How do I know which data pattern is appropriate for my data file" at Setting up data patterns to extract fields.

None

Note: All events that are processed using this data pattern are assumed to be a single line of  data with a line terminator at the end of the event.

Was this page helpful? Yes No Submitting... Thank you

Comments