Editing or cloning data patterns

This topic provides information about editing or cloning a data pattern.

Notes

  • The information required while editing and cloning a data pattern is the same except that when you edit a data pattern, you cannot change the name.
  • You cannot edit a data pattern that was imported via a content pack. However, you can clone the data pattern, customize it, and then save it.

Editing a data pattern can be useful in the following scenarios:

  • For making minor modifications like changing the category, date locale, multiline entry setting, or the date format.
  • For advanced field extraction – this requires modifying the primary pattern and for this you need knowledge of Java regular expressions.

This topic contains the following information:

Related topics

Creating-data-patterns

Setting-up-data-patterns-to-extract-fields 

Collecting-data-into-the-system

Suggested reading

Sample-data-patterns

Sample subpatterns

Sample-date-formats

Before you begin

Editing or cloning a data pattern

Depending on whether you want to edit or clone a data pattern, navigate to the Administration > Data Patterns tab, and proceed as follows:

  • To edit a data pattern, click Edit Data Patternedit icon.jpg, modify the information described in the following table, and click Update.
  • To clone a data pattern, click Clone Data Pattern Clone icon.jpg, modify the information described in the following table, and click Create.

The following table provides information about the list of fields available while editing or cloning a data pattern. These fields are segregated into logical sections to aid reading.

Editing or cloning a data pattern

Notes about editing or cloning a data pattern

The following notes are important to keep in mind while editing or cloning a data pattern and will help you understand the impact on the search capabilities:

Action

Description

1

Creating a custom date format

If you create a custom date format, then you must create a corresponding subpattern and use it in the primary pattern that you are constructing.

Impact: Without this, you cannot collect data using the particular data pattern.

2

Using internal fields

The following fields are internal fields and might not be available for previewing to validate the sample data entries.

  • timestamp

  • details

  • SEQUENCE_ID

  • _ignore

Impact: These fields are not searchable.

3

Using more than one subpattern for defining the timestamp field

While constructing a primary pattern, you cannot assign more than one subpattern for extracting the timestamp (field).

Instead of using more than one subpattern in the primary pattern, you can create a more complex subpattern that provides the unified value that you were trying to achieve with multiple subpatterns.

Impact: A data pattern containing such a primary pattern is invalid and is not usable for data-collection purposes.

Example of an invalid primary pattern

%{Data:_ignore}\s*
%{%MonthDay}/%{Month}/%{Year} %{Time}:timestamp}
\s*%{MultilineEntry:details}

Example of a valid pattern example

Primary pattern:

%{Mytimestamp:timestamp} \[%{Data:debuglevel}\]
%{Data:component} - \[Thread=%{Data:threadid}\]
%{Ip:clientip} - %{MultilineEntry:details}

Supporting subpattern:

Mytimestamp: %{DigitDay:day}\s+%{Month:month}\s+
%{FullYear}\s+%{Hour}:%{Minute}:%{Second}

4

Using the details field for categorizing miscellaneous information in your data file.

You can assign the details field for miscellaneous information that you do not want to categorize with a specific field. All name=value pairs in the section to which this field is applied are extracted as fields.

Impact: At the time of indexing, the details field is ignored. If you do not specify the details field in your primary pattern, then the product looks for name=value pairs in the entire raw data record and extracts them as fields.

5

Using the _ignore field for ignoring certain portions of data in your data file

You can assign the _ignore field to the the portion of your data that you want to ignore and not categorize with a specific field. For example, if you want to ignore the extra digits (the milliseconds) in the custom date and timestamp 2014 Thu May 14 05:25:14.12321, you can assign this field to the extra digits. In this case, you can use the following subpattern to ignore the last two digits:

%{extraDigits:_ignore}

where,

extraDigits = \d{2}

Impact: The portion of data to which this field is applied is not categorized with a field.

6

Using the letter X while creating a custom date format.

For a custom date format, the letter X that indicates the ISO 8601 time zone is not supported. To enable you to capture the time zone, when you create a data collector, select an option in the Time Zone field.

Impact: You cannot collect data.

 

Tip: For faster searching, add an asterisk to the end of your partial query. Example: cert*