<?xml version="1.0" encoding="UTF-8"?>
<rss xmlns:content="http://purl.org/rss/1.0/modules/content/" xmlns:dc="http://purl.org/dc/elements/1.1/" xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#" xmlns:taxo="http://purl.org/rss/1.0/modules/taxonomy/" version="2.0">
  <channel>
    <title>topic Re: Log Insights - Agents - Parser RegExp in VMware Aria Operations for Logs Discussions</title>
    <link>https://communities.vmware.com/t5/VMware-Aria-Operations-for-Logs/Log-Insights-Agents-Parser-RegExp/m-p/2294045#M2073</link>
    <description>&lt;HTML&gt;&lt;HEAD&gt;&lt;/HEAD&gt;&lt;BODY&gt;&lt;P&gt;Hi.&lt;/P&gt;&lt;P&gt;&lt;/P&gt;&lt;P&gt;To get all the text in to one logevent you need to define a event marker in your filelog config it's right under the directory line in the gui. I see in your screenchot you only had the default ^ in the textbox for event marker and ^ means start of line if i'm not misstaken. So you need to do a regexp for the start of every event. If for example every line starts with the timecode you have in the example you gave you need to match that in event marker. ^\[\d{4}-\d{2}-\d{2}T\d{2}:\d{2}:\d{2}-\d{2}:\d{2}\] will match lines that starts like this &lt;SPAN style="color: #666666; font-family: proxima-nova, Arial, sans-serif;"&gt;[2020-06-10T15:28:10-04:00] and put everything after that into one log event until the next match.&lt;/SPAN&gt;&lt;/P&gt;&lt;P&gt;&lt;/P&gt;&lt;P&gt;&lt;SPAN style="color: #666666; font-family: proxima-nova, Arial, sans-serif;"&gt;The parser can then be used to parse the event into fields for filtering.&lt;/SPAN&gt;&lt;/P&gt;&lt;P&gt;&lt;/P&gt;&lt;P&gt;&lt;SPAN style="color: #666666; font-family: proxima-nova, Arial, sans-serif;"&gt;Hope that helps&lt;/SPAN&gt;&lt;/P&gt;&lt;P&gt;&lt;/P&gt;&lt;P&gt;&lt;SPAN style="color: #666666; font-family: proxima-nova, Arial, sans-serif;"&gt;Best regards&lt;/SPAN&gt;&lt;/P&gt;&lt;P&gt;&lt;SPAN style="color: #666666; font-family: proxima-nova, Arial, sans-serif;"&gt;//Mattias&lt;/SPAN&gt;&lt;/P&gt;&lt;/BODY&gt;&lt;/HTML&gt;</description>
    <pubDate>Mon, 29 Jun 2020 07:32:38 GMT</pubDate>
    <dc:creator>Cederberg</dc:creator>
    <dc:date>2020-06-29T07:32:38Z</dc:date>
    <item>
      <title>Log Insights - Agents - Parser RegExp</title>
      <link>https://communities.vmware.com/t5/VMware-Aria-Operations-for-Logs/Log-Insights-Agents-Parser-RegExp/m-p/2294044#M2072</link>
      <description>&lt;HTML&gt;&lt;HEAD&gt;&lt;/HEAD&gt;&lt;BODY&gt;&lt;P&gt;Hi,&lt;/P&gt;&lt;P&gt;&lt;/P&gt;&lt;P&gt;I am a newbie to LOG INSIGHTS and did good in figuring out with the help of this community and online documentations. However, I am stuck with Regexp and because of that I am not able to retrieve the data as expected in the tool. &lt;/P&gt;&lt;P&gt;&lt;/P&gt;&lt;P&gt;I have a very large log file on one of the server with information close to below.&lt;/P&gt;&lt;P&gt;&lt;/P&gt;&lt;P&gt;Issue:- In the Interactive Analytics it is displaying one row for each line, hence the below log is shown as 12 different lines for each timestamp.&lt;/P&gt;&lt;P&gt;&lt;/P&gt;&lt;P&gt;[2020-06-10T15:28:10-04:00] [OBIPS] [TRACE:1] [] [saw.rpc.server.processHeartbeat] [ecid: xxxxxxxxxxxxxxxxxxxxxx,0] [tid: 3793676032] [SI-Name: ] [IDD-Name: ] [IDD-GUID: ] [userId: ] Processing heartbeat message.[[&lt;/P&gt;&lt;P&gt;File:socketrpcserver.cpp&lt;/P&gt;&lt;P&gt;Line:399&lt;/P&gt;&lt;P&gt;Location:&lt;/P&gt;&lt;P&gt;saw.rpc.server.processHeartbeat&lt;/P&gt;&lt;P&gt;saw.rpc.server.responder&lt;/P&gt;&lt;P&gt;saw.rpc.server&lt;/P&gt;&lt;P&gt;saw.rpc.server.handleConnection&lt;/P&gt;&lt;P&gt;saw.rpc.server.dispatch&lt;/P&gt;&lt;P&gt;saw.threadpool.socketrpcserver&lt;/P&gt;&lt;P&gt;saw.threads&lt;/P&gt;&lt;P&gt;]]&lt;/P&gt;&lt;P&gt;&lt;/P&gt;&lt;P&gt;So I have used the following RegExp code which works perfect when I checked in &lt;A href="https://regex101.com/" title="https://regex101.com/"&gt;https://regex101.com/&lt;/A&gt;​ . But it haven't improved my results.&lt;/P&gt;&lt;P&gt;&lt;/P&gt;&lt;P&gt;(?&amp;lt;DateTime&amp;gt;\[.*?\]) (?&amp;lt;OBIPS&amp;gt;\[.*?\]) (?&amp;lt;TRACE&amp;gt;\[.*?\]) (?&amp;lt;EMP&amp;gt;\[.*?\]) (?&amp;lt;FRISTMSG&amp;gt;\[.*?\]) (?&amp;lt;ECID&amp;gt;\[.*?\]) (?&amp;lt;TID&amp;gt;\[.*?\]) (?&amp;lt;SINAME&amp;gt;\[.*?\]) (?&amp;lt;IDDNAME&amp;gt;\[.*?\]) (?&amp;lt;IDDGUID&amp;gt;\[.*?\]) (?&amp;lt;USRID&amp;gt;\[.*?\[)(?&amp;lt;COMPLETE&amp;gt;\[\s*[\w\W]*?\]\])&lt;/P&gt;&lt;P&gt;&lt;/P&gt;&lt;P&gt;&lt;STRONG&gt;I have attached some screenshots and the above scenario in the document.&lt;/STRONG&gt; Could you please take a look at it and help me out?&lt;/P&gt;&lt;P&gt;&lt;/P&gt;&lt;P&gt;I greatly appreciate your responses and help.&lt;/P&gt;&lt;P&gt;&lt;/P&gt;&lt;P&gt;Thank you,&lt;/P&gt;&lt;P&gt;Rama&lt;/P&gt;&lt;/BODY&gt;&lt;/HTML&gt;</description>
      <pubDate>Fri, 12 Jun 2020 14:25:22 GMT</pubDate>
      <guid>https://communities.vmware.com/t5/VMware-Aria-Operations-for-Logs/Log-Insights-Agents-Parser-RegExp/m-p/2294044#M2072</guid>
      <dc:creator>RNaray308</dc:creator>
      <dc:date>2020-06-12T14:25:22Z</dc:date>
    </item>
    <item>
      <title>Re: Log Insights - Agents - Parser RegExp</title>
      <link>https://communities.vmware.com/t5/VMware-Aria-Operations-for-Logs/Log-Insights-Agents-Parser-RegExp/m-p/2294045#M2073</link>
      <description>&lt;HTML&gt;&lt;HEAD&gt;&lt;/HEAD&gt;&lt;BODY&gt;&lt;P&gt;Hi.&lt;/P&gt;&lt;P&gt;&lt;/P&gt;&lt;P&gt;To get all the text in to one logevent you need to define a event marker in your filelog config it's right under the directory line in the gui. I see in your screenchot you only had the default ^ in the textbox for event marker and ^ means start of line if i'm not misstaken. So you need to do a regexp for the start of every event. If for example every line starts with the timecode you have in the example you gave you need to match that in event marker. ^\[\d{4}-\d{2}-\d{2}T\d{2}:\d{2}:\d{2}-\d{2}:\d{2}\] will match lines that starts like this &lt;SPAN style="color: #666666; font-family: proxima-nova, Arial, sans-serif;"&gt;[2020-06-10T15:28:10-04:00] and put everything after that into one log event until the next match.&lt;/SPAN&gt;&lt;/P&gt;&lt;P&gt;&lt;/P&gt;&lt;P&gt;&lt;SPAN style="color: #666666; font-family: proxima-nova, Arial, sans-serif;"&gt;The parser can then be used to parse the event into fields for filtering.&lt;/SPAN&gt;&lt;/P&gt;&lt;P&gt;&lt;/P&gt;&lt;P&gt;&lt;SPAN style="color: #666666; font-family: proxima-nova, Arial, sans-serif;"&gt;Hope that helps&lt;/SPAN&gt;&lt;/P&gt;&lt;P&gt;&lt;/P&gt;&lt;P&gt;&lt;SPAN style="color: #666666; font-family: proxima-nova, Arial, sans-serif;"&gt;Best regards&lt;/SPAN&gt;&lt;/P&gt;&lt;P&gt;&lt;SPAN style="color: #666666; font-family: proxima-nova, Arial, sans-serif;"&gt;//Mattias&lt;/SPAN&gt;&lt;/P&gt;&lt;/BODY&gt;&lt;/HTML&gt;</description>
      <pubDate>Mon, 29 Jun 2020 07:32:38 GMT</pubDate>
      <guid>https://communities.vmware.com/t5/VMware-Aria-Operations-for-Logs/Log-Insights-Agents-Parser-RegExp/m-p/2294045#M2073</guid>
      <dc:creator>Cederberg</dc:creator>
      <dc:date>2020-06-29T07:32:38Z</dc:date>
    </item>
  </channel>
</rss>

