Page tree
Skip to end of metadata
Go to start of metadata

The following table lists the default data patterns available with the TrueSight IT Data Analytics product.

Viewing assistance

Press F to see this page in the full-screen mode, and press Esc to exit the full-screen mode.

Default data patterns

NameDate FormatPrimary pattern
Application
Hadoop
yyyy-MM-ddHH:mm:ss,SSS
%{HadoopTimestamp:timestamp}\s+
%{HadoopLevel:debuglevel}\s+
%{Data:component}:\s+
%{MultilineEntry:details}
Log4j
EEE MMM dd HH:mm:ss Z yyyy
%{Log4JTimestamp:timestamp}\s+:?\s+
%{MultilineEntry:details}
Application Server
Apache Tomcat
MMM dd, yyyy hh:mm:ss a
%{ApacheTomcatTimestamp:timestamp}\s+
%{Data:classname}\s+
%{Data:actiontype}(?:|\s+
%{Data:msgtype}:(?:%{Data:message1}
\[%{Uri:location}\]\.\s+%{Data:message2}
|\s%{MultilineEntry:details}))
IBM WebSphere - Activity
yyyy-MM-dd HH:mm:ss
[-]+\s*ComponentId:\s*
%{Data:componentid}\
s*ProcessId:\s*%{Data:processid}
\s*ThreadId:\s*%{Data:threadid}
\s*ThreadName:\s*%{Data:threadname}\
s*Alarm\s*:\s*%{Data:alarm}\s*SourceId:\
s*%{Data:sourceid}\s*ClassName:
%{Data:classname}\s*MethodName:
%{Data:methodname}\s*Manufacturer:\
s*%{Data:manufacturer}\s*Product:\s*
%{Data:product}\s*Version:\s*%{Data:version}
\s*ServerName:\s*%{Data:servername}\
s*TimeStamp:\s*
%{WsActivityTimestamp:timestamp}\
s*UnitOfWork:%{Data:unitofwork}\s*Severity:\
s*%{Data:severity}\s*Category:\s*
%{Data:category}\s*PrimaryMessage:\s*
%{Data:primarymessage}
\s*ExtendedMessage:\s*
%{Data:extendedmessage}\
s*[-]+(?:|%{MultilineEntry:details})
IBM WebSphere - SystemError
MM/dd/yy HH:mm:ss:SSS Z
\[%{IbmWebsphereTimestamp:timestamp}\]
\s%{Data:groupid}\sSystemErr\s+
%{Data:level}\s+
(?:at\s+%{GreedyData:class}\.
%{Data:function}\
((?:.*:%{Data:linenum}|.*)\)|
%{MultilineEntry:details})
IBM WebSphere - SystemOut
MM/dd/yy HH:mm:ss:SSS Z
\[%{IbmWebsphereTimestamp:timestamp}\]\s
%{Data:groupid}\s%{Data:component}\s+
%{Data:level}\s+%{MultilineEntry:details}
Microsoft SharePoint
dd/MM/yyyy HH:mm:ss.SS
%{SharepointTimestamp:timestamp}\s*\t
%{Data:processingfileinfo}\s*\t
%{Data:tid}\s*\t
%{Data:sharepoint}\s*\t
%{Data:category}\s*\t
%{Data:eventid}\s*\t
%{Data:tracelevel}\s*\t(?:|
%{MultilineEntry:details})
Oracle WebLogic
MMM dd, yyyy hh:mm:ss a z
[#]+<%{WeblogicTimestamp:timestamp}>
\s<%{Data:level}>
\s<%{Data:server}>\s<%{Data:data1}>
\s<%{Data:user}>
\s<%{Data:thread}>\s<%{Data:kernel}>
\s<%{Data:data2}>\s<%{Data:data3}>
\s<HostName:\s%{Ip:hostname},
\smaps\sto\smultiple\sIP\saddresses:
%{Data:ipaddresses}>
(?:|%{MultilineEntry:details})
Xen App Server
yyyy-MM-dd HH:mm:ss
%{SqlAgentTimestamp:timestamp},
%{PosInt:utc}\s+
%{MsgType:messagetype}\s+
%{MultilineEntry:details}
Database
IBM DB2 - Diagnostics
yyyy-MM-dd-HH.mm.ss.SSS
%{Db2Timestamp:timestamp}[0-9]{3}
(?:|\+%{PosInt:utcdiffminutes}|
%{UtcMinus:utcdiffminutes})\s+
%{Data:recordid}\s+
%{MultilineEntry:details}
Microsoft SQLServer
yyyy-MM-dd HH:mm:ss.SS
%{SqlTimestamp:timestamp}\s+
%{Data:component}\s+
%{MultilineEntry:details}
Microsoft SQLServer - Agent
yyyy-MM-dd HH:mm:ss
%{SqlAgentTimestamp:timestamp}\s+-?\s+
%{Data:loglevel}\s+
\[%{Data:resourceid}\]\s+
%{MultilineEntry:details}
MySQL - Error
yyMMdd HH:mm:ss
%{MysqlErrorTimestamp:timestamp}\s+
%{Data:message}\s*Version:
%{Data:version}\s+socket:\s*
%{Data:socket}\s+port:\s*
%{Port:portnumber}\s
%{MultilineEntry:details}
Oracle Database - Alert
EEE MMM dd HH:mm:ss yyyy
%{OracleDbAlertTimestamp:timestamp}\s*
%{MultilineEntry:details}
Oracle Database - XML
yyyy-MM-dd'T'HH:mm:ss.SSS
<msg\stime\='
%{OracleDbXmlTimestamp:timestamp}
[\-\+]%{ExtraDigits:_ignore}:
%{ExtraDigits:_ignore}'\s*
%{MultilineEntry:details}
Internal
ITDA
MMM dd, yyyy hh:mm:ss a
%{ITDATimestamp:timestamp}\s+
%{Data:class}\s+
%{Data:function}\(\):
%{Int:linenum}\s+\n*
(?:%{ITDADebugLevel:level}:\s*
%{MultilineEntry:details})?
ITDA Metrics
yyyy-MM-dd HH:mm:ss.SSS
\[%{ITDAMetricsTimestamp:timestamp}\]
\s\[%{Engine:engine}\]\s\
[%{Data:collectorid}\]\
s\[%{MultilineEntry:details}\]
Networking
Cisco Syslog
MMM dd yyyy HH:mm:ss
%{CiscoTimestamp:timestamp}:\s\%
%{TGenerator:generator}-%{PosInt:level}-
%{PosInt:messagenumber}:\s*
(?:|%{MultilineEntry:details})
F5 Load Balancer
MMM dd HH:mm:ss
%{F5LBDTimestamp:timestamp}\s+
%{Data:hostname}\s+
%{Data:eventtype}\s+
%{Data:userdata1}\s+
%{Data:userdata2}\s+
%{MultilineEntry:details}
Web Servers
Access Log - Combined
dd/MMM/yyyy:HH:mm:ss z

%{Data:info}\s%{IpOrHost:ip}\s%{NotSpace:rfc931}\s%{NotSpace:username}\s\[%{AccessCombinedTimestamp:timestamp}\]\s%{Data:request}\s%{PosInt:statuscode}\s%{PosInt:bytes}\s%{Data:referrer}\s%{AnyStringInQuotes:useragent}\s%{Data:cookie}(?:|%{MultilineEntry:details})

Access Log - Common
dd/MMM/yyyy:HH:mm:ss z
%{IpOrHost:ipaddress}\s+%{Data:rfc931}\s+
%{Data:username}\s+\
[%{AccessCommonTimestamp:timestamp}\]
\s+ "%{RequestType:type}\s+
%{GreedyData:imageurl}\s+
%{Data:protocol}" \s+
%{PosInt:statuscode}\s+
%{PosInt:size}
(?:|\s*%{MultilineEntry:details})
Apache Access
dd/MMM/yy:HH:mm:ss

%{IpOrHost:clientip} %{User:ident} %{User:auth} \[%{HttpTimestamp:timestamp}\] "%{Word:verb} %{UriPathParam:request} HTTP/%{Number:httpversion}" %{Number:response} (?:%{Number:bytes}|-) (?:"%{Uri:referrer}"|%{QuotedString:referrer}|"-") %{QuotedString:agent}(?: (?:%{Number:num1}|-) (?:%{Number:num2}|-))?

Apache Http Server - Error
yyyy-MM-dd HH:mm:ss
%{HttpdErrTimestamp:timestamp}\s+
%{Ip:cip}\s+%{Port:cport}\s+
%{Ip:sip}\s+%{Port:sport}\s+
%{HttpdErrCsVersion:csversion}\s+
%{HttpdErrCsMethod:csmethod}\s+
%{HttpdErrCsUri:csuri}\s+
(?:%{PosInt:csstatus}|-)\s+
(?:%{PosInt:ssiteid}|-)\s+
%{HttpdErrsReason:sreason}\s+
%{HttpdErrsSequence:ssequence}
Microsoft IIS
HH:mm:ss
%{MicrosoftIISTimestamp:timestamp}\s+
%{Ip:cip}\s+%{Data:csmethod}\s+
%{Data:csuristem}\s+
%{MultilineEntry:csstatus}
Microsoft IIS - Extended
yyyy-MM-dd HH:mm:ss
%{WsActivityTimestamp:timestamp}\s+
%{Data:sitename}\s+%{Ip:sip}\s+
%{Data:csmethod}\s+%{Data:csuristem}\s+
%{Data:csuriquery}\s+%{Port:sport}\s+
%{Data:csusername}\s+%{Ip:cip}\s+
%{Data:csuseragent}\s+%{Data:scstatus}\s+
%{PosInt:scsubstatus}\s+
%{MultilineEntry:scwin32status}
Others

Free Text

None

Note: The date-time stamp need not be a part of the event data as the product adds a timestamp to the events at the time of indexing. For more information, see the section on "How do I know which data pattern is appropriate for my data file" at Setting up data patterns to extract fields.

None

Note: All events that are processed using this data pattern are assumed to be a single line of  data with a line terminator at the end of the event.