CPars.exe

Description

This program provides access to the BMC Defender Server parsing functions. The program can be used as a simple filter, reading standard input, and outputting parsed values. The function accepts multiple expressions in the form of keyword matches, field positions, and more complex $parse functions. See documentation on BMC Defender parsing functions for detailed information. 

Note

This program cannot be used as the input to the CFmt program as discussed previously.

Usage and Syntax

Usage: type (infile) | cpars.exe [(opts) ] "(pfun1)"
[ ("pfun2") [ ("pfun3") ...]]

Also:  cpars.exe -file (infile) [ (opts) ] "(pfun1)"
[ ("pfun2") [ ("pfun3") ...]]

Opts:  -file     (infile)
Opts:  -sep      ("delimstr")
Opts:  -maxcount (count)
Opts:  -analyze

Arguments

(opts)

This argument is one or more of the command options. Zero or more options can be specified. (See options as follows.)

-file

This argument, if it exists, is the input file to process. The input file must be followed by a valid (infile) argument, that is the pathname of the file to process. If this option is omitted, the CPars program reads standard input and writes the matched results to standard output.

(infile)

This argument must follow the -infile argument, and is the full or relative pathname of the file to process.

-sep

This argument, if it exists, is a character (or phrase, enclosed in double quotes.) This separates the parsed values that are output by the program.

Example

The –sep might be a pipe, or a comma, or a string. The default output field separator is a single blank space.


-maxcount  (or –max)

This argument, if it exists, is the number of lines to parse and output. The default number of lines to parse is 0x7FFFFFFF (if no –maxcount option is specified).

(count)

This argument must follow the -maxcount argument, and can be any integer number ranging from 1 to the maximum integer size for the system.

-analyze.

This argument, if it exists, changes the mode of the program to output a tabulated occurrence count of matched values, showing the number of times the parse function result occurred in the input, similar to the Analyze function of the server. (See the CLyze.exe function for additional information.) 

(pfun1)

This is a parse function, including a value such as $1 for the first word of input, $2 for the second word of the input, and more. It might also be a match pattern such as user name: * (that returns the space delimited string following the user name). It might also be a complex (possibly nested) BMC Defender parse function such as $message(1, 20).

(pfunN)

The first parse function can be followed by other parse functions to a maximum of around 255 functions each parse function is applied and the output (if any) in the message is returned to standard output.

Application

The CPars.exe program is commonly used as the final step of a pipeline, necessary to parse the message into fields for reporting. The program accepts as input a raw list of messages (such as that produced by the Cat functions described elsewhere.)

The program accepts one or more parse specifications, that can be used to extract part of the message by field number, by context, or by a special $parse() functions. This provides a huge amount of power in targeting the particular fields of the message. (See the CO-PARSE.pdf manual for detailed information on parse expressions.)

Specifically, parse specifications can consist of:

  1. Numeric word positions such as $1, $2, $99.
  2. Match expressions such as user: *, and this - *.
  3. Parse functions such as $url(http://*) and $geo($12).
  4. Nested composite specifications such as $basename($url($8).

Each parse specification should be enclosed in double-quotes if it contains spaces. Each parse specification is executed, and the parsed result (consisting of a single word or a string) is output separated by whatever string or character has been specified with the optional -sep argument. At least one parse specification is required, but multiple parse specifications can be used.

Examples
REM: Display the first, seventh, and fourth fields
REM: of the file my.log:

CPars.exe –f my.log $1 $7 $4

REM: Display the first, second, and fifth fields
REM: of the input stream. Values are separated by
REM: a "pipe" character:

type my.log|CPars.exe –sep "|" $1 $2 $5

REM: Display the values following "Use Name:"
REM: in the input stream.

type my.log|CPars.exe "user name: *"

REM: Display the date and time of all messages
REM: messages followed by the "user name" (if any)
REM: in the message. Messages are listed by the
REM: "CatMsg.exe" program, discussed elsewhere:

CatMsg.exe –all|CPars.exe $2 "user name: *"

REM: Display any URLs for any message that contains
REM: an "http:" prefix. The messages are listed
REM: using the CatMsg.exe program, then filtered using
REM: the CExpr.exe utility, and then parsed using the
REM: CPars.exe utility.

CatMsg –all | CExpr http: | CPars "http://*"

REM: Display the date, time, device, severity, and
REM: severity of all messages. A max of 1000
REM: messages are parsed.

CatMsg –all | CPars.exe –maxcount 1000 $1 $2 $3 $4

REM: Display the first 20 words of each message,
REM: Starting with the fifth word. This uses
REM: the $message() parse function.

CatMsg.exe –all | CPars.exe "$message(5, 20)"

Related topic

Command-reference

 

Tip: For faster searching, add an asterisk to the end of your partial query. Example: cert*