Name | Date Format | Primary pattern |
---|
Application |
Hadoop | yyyy-MM-ddHH:mm:ss,SSS | %{HadoopTimestamp:timestamp}\s+ %{HadoopLevel:debuglevel}\s+ %{Data:component}:\s+ %{MultilineEntry:details} |
Log4j | EEE MMM dd HH:mm:ss Z yyyy | %{Log4JTimestamp:timestamp}\s+:?\s+ %{MultilineEntry:details} |
Application Server |
Apache Tomcat | MMM dd, yyyy hh:mm:ss a | %{ApacheTomcatTimestamp:timestamp}\s+ %{Data:classname}\s+ %{Data:actiontype}(?:|\s+ %{Data:msgtype}:(?:%{Data:message1} \[%{Uri:location}\]\.\s+%{Data:message2} |\s%{MultilineEntry:details})) |
IBM WebSphere - Activity | yyyy-MM-dd HH:mm:ss | [-]+\s*ComponentId:\s* %{Data:componentid}\ s*ProcessId:\s*%{Data:processid} \s*ThreadId:\s*%{Data:threadid} \s*ThreadName:\s*%{Data:threadname}\ s*Alarm\s*:\s*%{Data:alarm}\s*SourceId:\ s*%{Data:sourceid}\s*ClassName: %{Data:classname}\s*MethodName: %{Data:methodname}\s*Manufacturer:\ s*%{Data:manufacturer}\s*Product:\s* %{Data:product}\s*Version:\s*%{Data:version} \s*ServerName:\s*%{Data:servername}\ s*TimeStamp:\s* %{WsActivityTimestamp:timestamp}\ s*UnitOfWork:%{Data:unitofwork}\s*Severity:\ s*%{Data:severity}\s*Category:\s* %{Data:category}\s*PrimaryMessage:\s* %{Data:primarymessage} \s*ExtendedMessage:\s* %{Data:extendedmessage}\ s*[-]+(?:|%{MultilineEntry:details}) |
IBM WebSphere - SystemError | MM/dd/yy HH:mm:ss:SSS Z | \[%{IbmWebsphereTimestamp:timestamp}\] \s%{Data:groupid}\sSystemErr\s+ %{Data:level}\s+ (?:at\s+%{GreedyData:class}\. %{Data:function}\ ((?:.*:%{Data:linenum}|.*)\)| %{MultilineEntry:details}) |
IBM WebSphere - SystemOut | MM/dd/yy HH:mm:ss:SSS Z | \[%{IbmWebsphereTimestamp:timestamp}\]\s %{Data:groupid}\s%{Data:component}\s+ %{Data:level}\s+%{MultilineEntry:details} |
Microsoft SharePoint | dd/MM/yyyy HH:mm:ss.SS | %{SharepointTimestamp:timestamp}\s*\t %{Data:processingfileinfo}\s*\t %{Data:tid}\s*\t %{Data:sharepoint}\s*\t %{Data:category}\s*\t %{Data:eventid}\s*\t %{Data:tracelevel}\s*\t(?:| %{MultilineEntry:details}) |
Oracle WebLogic | MMM dd, yyyy hh:mm:ss a z | [#]+<%{WeblogicTimestamp:timestamp}> \s<%{Data:level}> \s<%{Data:server}>\s<%{Data:data1}> \s<%{Data:user}> \s<%{Data:thread}>\s<%{Data:kernel}> \s<%{Data:data2}>\s<%{Data:data3}> \s<HostName:\s%{Ip:hostname}, \smaps\sto\smultiple\sIP\saddresses: %{Data:ipaddresses}> (?:|%{MultilineEntry:details}) |
Xen App Server | yyyy-MM-dd HH:mm:ss | %{SqlAgentTimestamp:timestamp}, %{PosInt:utc}\s+ %{MsgType:messagetype}\s+ %{MultilineEntry:details} |
Database |
IBM DB2 - Diagnostics | yyyy-MM-dd-HH.mm.ss.SSS | %{Db2Timestamp:timestamp}[0-9]{3} (?:|\+%{PosInt:utcdiffminutes}| %{UtcMinus:utcdiffminutes})\s+ %{Data:recordid}\s+ %{MultilineEntry:details} |
Microsoft SQLServer | yyyy-MM-dd HH:mm:ss.SS | %{SqlTimestamp:timestamp}\s+ %{Data:component}\s+ %{MultilineEntry:details} |
Microsoft SQLServer - Agent | yyyy-MM-dd HH:mm:ss | %{SqlAgentTimestamp:timestamp}\s+-?\s+ %{Data:loglevel}\s+ \[%{Data:resourceid}\]\s+ %{MultilineEntry:details} |
MySQL - Error | yyMMdd HH:mm:ss | %{MysqlErrorTimestamp:timestamp}\s+ %{Data:message}\s*Version: %{Data:version}\s+socket:\s* %{Data:socket}\s+port:\s* %{Port:portnumber}\s %{MultilineEntry:details} |
Oracle Database - Alert | EEE MMM dd HH:mm:ss yyyy | %{OracleDbAlertTimestamp:timestamp}\s* %{MultilineEntry:details} |
Oracle Database - XML | yyyy-MM-dd'T'HH:mm:ss.SSS | <msg\stime\=' %{OracleDbXmlTimestamp:timestamp} [\-\+]%{ExtraDigits:_ignore}: %{ExtraDigits:_ignore}'\s* %{MultilineEntry:details} |
Internal |
ITDA | MMM dd, yyyy hh:mm:ss a | %{ITDATimestamp:timestamp}\s+ %{Data:class}\s+ %{Data:function}\(\): %{Int:linenum}\s+\n* (?:%{ITDADebugLevel:level}:\s* %{MultilineEntry:details})? |
ITDA Metrics | yyyy-MM-dd HH:mm:ss.SSS | \[%{ITDAMetricsTimestamp:timestamp}\] \s\[%{Engine:engine}\]\s\ [%{Data:collectorid}\]\ s\[%{MultilineEntry:details}\] |
Networking |
Cisco Syslog | MMM dd yyyy HH:mm:ss | %{CiscoTimestamp:timestamp}:\s\% %{TGenerator:generator}-%{PosInt:level}- %{PosInt:messagenumber}:\s* (?:|%{MultilineEntry:details}) |
F5 Load Balancer | MMM dd HH:mm:ss | %{F5LBDTimestamp:timestamp}\s+ %{Data:hostname}\s+ %{Data:eventtype}\s+ %{Data:userdata1}\s+ %{Data:userdata2}\s+ %{MultilineEntry:details} |
Web Servers |
Access Log - Combined | dd/MMM/yyyy:HH:mm:ss z | %{Data:info}\s%{IpOrHost:ip}\s%{NotSpace:rfc931}\s%{NotSpace:username}\s\[%{AccessCombinedTimestamp:timestamp}\]\s%{Data:request}\s%{PosInt:statuscode}\s%{PosInt:bytes}\s%{Data:referrer}\s%{AnyStringInQuotes:useragent}\s%{Data:cookie}(?:|%{MultilineEntry:details})
|
Access Log - Common | dd/MMM/yyyy:HH:mm:ss z | %{IpOrHost:ipaddress}\s+%{Data:rfc931}\s+ %{Data:username}\s+\ [%{AccessCommonTimestamp:timestamp}\] \s+ "%{RequestType:type}\s+ %{GreedyData:imageurl}\s+ %{Data:protocol}" \s+ %{PosInt:statuscode}\s+ %{PosInt:size} (?:|\s*%{MultilineEntry:details}) |
Apache Access | dd/MMM/yy:HH:mm:ss | %{IpOrHost:clientip} %{User:ident} %{User:auth} \[%{HttpTimestamp:timestamp}\] "%{Word:verb} %{UriPathParam:request} HTTP/%{Number:httpversion}" %{Number:response} (?:%{Number:bytes}|-) (?:"%{Uri:referrer}"|%{QuotedString:referrer}|"-") %{QuotedString:agent}(?: (?:%{Number:num1}|-) (?:%{Number:num2}|-))?
|
Apache Http Server - Error | yyyy-MM-dd HH:mm:ss | %{HttpdErrTimestamp:timestamp}\s+ %{Ip:cip}\s+%{Port:cport}\s+ %{Ip:sip}\s+%{Port:sport}\s+ %{HttpdErrCsVersion:csversion}\s+ %{HttpdErrCsMethod:csmethod}\s+ %{HttpdErrCsUri:csuri}\s+ (?:%{PosInt:csstatus}|-)\s+ (?:%{PosInt:ssiteid}|-)\s+ %{HttpdErrsReason:sreason}\s+ %{HttpdErrsSequence:ssequence} |
Microsoft IIS | HH:mm:ss | %{MicrosoftIISTimestamp:timestamp}\s+ %{Ip:cip}\s+%{Data:csmethod}\s+ %{Data:csuristem}\s+ %{MultilineEntry:csstatus} |
Microsoft IIS - Extended | yyyy-MM-dd HH:mm:ss | %{WsActivityTimestamp:timestamp}\s+ %{Data:sitename}\s+%{Ip:sip}\s+ %{Data:csmethod}\s+%{Data:csuristem}\s+ %{Data:csuriquery}\s+%{Port:sport}\s+ %{Data:csusername}\s+%{Ip:cip}\s+ %{Data:csuseragent}\s+%{Data:scstatus}\s+ %{PosInt:scsubstatus}\s+ %{MultilineEntry:scwin32status} |
Others |
Free Text | None Note: The date-time stamp need not be a part of the event data as the product adds a timestamp to the events at the time of indexing. For more information, see the section on "How do I know which data pattern is appropriate for my data file" at Setting up data patterns to extract fields. | None Note: All events that are processed using this data pattern are assumed to be a single line of data with a line terminator at the end of the event. |