|
|
|
|||||||||||
| Overview | Documentation | Downloads | Contacts | Links |
|
Next: The 'kazimir.debug.TimeFormat' tool Up: The 'Log' tag Previous: The 'Log' tag Contents The 'TimeFormat' keyword
A log is usually organized as an ordinated set of records. The date of the information recorded in a line is often explicitly provided in the line (like /var/log/messages).
When a pattern is found in a log, Kazimir has to know the 'time of the pattern', which is basically the date of the record that fits the regexp
associated with the pattern. These "pattern's date" will be used in the event combination as we'll see in the next section.
If the log is showing a date in each of its lines, then Kazimir should be able to interpret it from the processed line itself, but for this, it
is necessary to tell to Kazimir where the date is located in the line, and how the date is displayed.
The syntax for this definition is specific to Kazimir, it is a kind of regexp with additional signs that shows what part of the date is where. All
the signs are '% For example, let's have a look at /var/log/messages: a line looks like this Feb 20 02:35:43 gandalf unix: devinfo0 is /pseudo/devinfo@0More generally a syslog line on my workstation will be : the date, the name of my workstation right after and a message. A date like the ones you can find in /var/log/messages are created via C function strftime with a format argument like "%b %e %H:%M:%S" Let's imagine that I want to define a TimeFormat for making /var/log/messages processed by Kazimir, something like ^%b %e %H:%M:%S trekking \end{verbatim} } will fit my needs.
The time conversion signs that you can use are shown in the following list. I still think that a example is a good way of explaining
something, so I will use the date 'Thursday July 5, 2001 16:45:08' as basis and show for every conversion sign the correspondence with this date.
\begin{itemize}
\item \%a : locale's abbreviated weekday name --- {\bf Thu}
\item \%A : locale's full weekday name --- {\bf Thursday}
\item \%f : same as \%a but in french \footnote{In fact, I am french and I manipulate many logs with 'french' time format. Later, this sign could
be use for another local langage date specification, for example with a switch based on an environment variable} --- {\bf Jeu}
\item \%F : same as \%A but in french --- {\bf Jeudi}
\item \%b : locale's abbreviated month name --- {\bf Jul}
\item \%B : locale's full month name --- {\bf July}
\item \%g : same as \%b but in french --- {\bf Jui}
\item \%G : same as \%B but in french -- {\bf Juillet}
\item \%m : month number [1,12]; single digits are preceded by 0 --- {\bf 07}
\item \%d : day of month [1,31]; single digits are preceded by 0 --- {\bf 05}
\item \%j : day number of year [1,366]; single digits are preceded by 0 --- {\bf 186}
\item \%e : day of month [1,31]; single digits are preceded by a space --- {\bf " 5" }
\item \%q : daylight saving, can take value 0,H,h,w in winter (inactive daylight savings) and 1,e,E,S,s in summer (active daylight savings) -- {\bf "W" }
\item \%y : year within century [00,99] --- {\bf 01}
\item \%Y : year, including the century --- {\bf 2001}
\item \%H : hour (24-hour clock) [0,23]; single digits are preceded by 0 --- {\bf 16}
\item \%I : hour (12-hour clock) [1,12]; single digits are preceded by a 0 --- {\bf 04}
\item \%p : 12 hour period, AM or PM --- {\bf PM}
\item \%k : hour (24-hour clock) [0,23]; single digits are preceded by a blank --- {\bf 16}
\item \%S : seconds on one or two digits. Leading 0 can be used or not --- {\bf 08}
\item \%M : minutes. Leading 0 is permitted but not required --- {\bf 45}
\item \%E : Epoch time. The number of seconds since 1/1/1970 (usual Unix's date format)
\end{itemize}
There is predefined TimeFormat: the 'NONE' TimeFormat. If TimeFormat as the value 'NONE', then it means that no time is shown within the line taken
from the log. In this case, the time when the
line was seen by Kazimir is used (aka the current time). If no time format is specified, NONE is the default value for TimeFormat.
Last but not least: The TimeFormat is very similar to a regexp, so take care of additional space characters you would leave in it. The TimeFormat
will be defined by something like {\it TimeFormat =\%b \%e \%H:\%M:\%S;} , but remember that the regexp begins IMMEDIATLY after the '=' sign and ends
right before the semicolon or the end of the line. Be careful not to put {\it TimeFormat =~\%b \%e \%H:\%M:\%S;} or {\it TimeFormat =\%b \%e \%H:\%M:\%S~;} instead of {\it TimeFormat =\%b \%e \%H:\%M:\%S;}. This could make the TimeFormat impossible to find in the line.
Time coherency within the log is also checked. Imagine that you have a log that result in the conversion of some information received through UDP. If
you are a little familiar with UDP, you know that messages are not guaranteed to be received in the order they were sent. So you can have a line whose
date is older than the date of the line just written before. Kazimir will do this check: if a pattern is seen in the log and if the date computed for the
pattern is older that the date of the previous occurrence of this pattern, then the previous (and earlier !!) date is kept and a warning is printed is
Kazimir's log. What happens if the TimeFormat is NONE in this specific case: nothing because the NONE TimeFormat will time-stamp every line with the time
when it was seen, so they can't be time incoherency, but only in appearance because in fact you are not warned of a potentially pathologic situation. This
is one of the reason why I strongly recommend not to use the NONE TimeFormat.
Here are valid Kazimir configuration line for some logs:
{
\tiny
\begin{verbatim}
Log: Name = syslog ; Type = ASCII ; Path = /var/adm/messages ; TimeFormat=%b %e %H:%M:%S;
Log: Name = cmd_respawned ; TimeFormat = NONE ; Type = CMND_OUT ; Path = /bin/my_command ; UpdateInt = 40s
Log: Name = cmd_not_respawned ; TimeFormat = NONE ; Type = COROUTINE ; Path = /bin/my_bg_diagnostics ;
Log: Name = remote_log ; Type = TCPCLIENT ; Path = logport@loghost ; TimeFormat=%m/%d/%Y %H:%M:%S;
Next: The 'kazimir.debug.TimeFormat' tool Up: The 'Log' tag Previous: The 'Log' tag Contents Philippe Deniel 2008-07-22 |
' and are very close to the syntax used by the 'strftime' standard C library's function.
CEA | CCRT | Terms of Use