Setting ICAgent Structuring Parsing Rules
You can use ICAgent to collect logs to LTS. When creating a log ingestion task, you can customize collection policies, such as parsing, whitelist, and blacklist rules, and raw log uploading settings. An ICAgent collection configuration defines the process of collecting logs of the same type from a server, parsing them, and sending them to a specified log stream.
Advantages
- Collecting log data in non-intrusive mode as log files: You do not need to modify application code, and log collection does not affect application running.
- Handling various exceptions during log collection: Security measures such as proactive retry and local cache are taken when a network or server exception occurs.
- Centralized management: After installing ICAgent, you only need to set configurations such as host groups and ICAgent collection on the LTS console.
- Comprehensive self-protection mechanisms: ICAgent is designed with strict limitations and protective measures regarding CPU, memory, and network usage, to minimize its impact on the performance of other services sharing the same server.
Before configuring log ingestion, get to know the structuring parsing rules of ICAgent collection to facilitate your operations. LTS enables combined parsing, allowing you to create different structuring parsing rules for each collection configuration of a log stream.
LTS supports the following log structuring parsing rules:
- Single-Line - Full-Text Log: Each log line is displayed as a single log event.
- Multi-Line - Full-Text Log: Multiple lines of exception log events can be displayed as a single log event. This is helpful when you check logs to locate problems.
- JSON: splits JSON logs into key-value pairs.
- Delimiter: applicable to logs separated by fixed symbols (such as spaces, commas, and colons).
- Single-Line - Completely Regular: uses a regular expression to extract fields from single-line logs in any format. After entering a regular expression, click Verify to verify it.
- Multi-Line - Completely Regular: uses a regular expression to extract fields from multi-line logs in any format. The regular expression of the first line can be automatically generated or manually entered. After entering a regular expression, click Verify to verify it.
- Combined Parsing: applicable to logs in multiple nested formats, for example, JSON logs with delimiters. For logs with complex structures and requiring multiple parsing modes, you can use this mode. It allows you to input code of JSON format on the console to define the pipeline logic for log parsing. You can add one or more plug-in processing configurations. ICAgent executes the configurations one by one based on the specified sequence.
- From now: queries log data generated in a time range that ends with the current time, such as the previous 1, 5, or 15 minutes. For example, if the current time is 19:20:31 and 1 hour is selected as the relative time from now, the charts on the dashboard display the log data that is generated from 18:20:31 to 19:20:31.
- From last: queries log data generated in a time range that ends with the current time, such as the previous 1 or 15 minutes. For example, if the current time is 19:20:31 and 1 hour is selected as the relative time from last, the charts on the dashboard display the log data that is generated from 18:00:00 to 19:00:00.
- Specified: queries log data that is generated in a specified time range.
Single-Line - Full-Text Log
If you want to display each line of log data as a single log on the LTS page, select Single-Line.
- Select Single-Line - Full-Text Log.
- Enable Log Filtering (disabled by default) as required and add a maximum of 20 whitelist or blacklist rules.
Figure 1 Log filtering rules
- Add a whitelist rule (available only when Log Filtering is enabled).
You can add filtering rules to retain valuable log data by applying regular expressions to the values of specified keys. A filtering rule acts as a matching criterion, collecting and reporting only logs that match the specified regular expression.
- Click Add and enter a key and filtering rule (regular expression). In single-line and multi-line full-text modes, content is used as the key name {key} of the full text by default. The relationship between multiple filtering rules is OR. For example, to collect log events containing hello from the log source file, set the filtering rule to .*hello.*.
- Click in the Operation column, enter a field value, and click Verify to verify the rule.
Figure 2 Verification
- Add a blacklist rule (available only when Log Filtering is enabled).
You can add filtering rules to retain valuable log data by applying regular expressions to the values of specified keys. A filtering rule acts as a discarding criterion, discarding logs that match the specified regular expression.
- Click Add and enter a key and filtering rule (regular expression). In single-line and multi-line full-text modes, content is used as the key name {key} of the full text by default. The relationship between multiple filtering rules is OR. For example, if you do not want to collect log events containing test from the log source file, set the filtering rule to .*test.*.
- Click in the Operation column, enter a field value, and click Verify to verify the rule.
- Add a whitelist rule (available only when Log Filtering is enabled).
Multi-Line - Full-Text Log
Multiple lines of exception log events can be displayed as a single log event. This is helpful when you check logs to locate problems.
- Select Multi-Line - Full-Text Log.
- Select a log example from existing logs or paste it from the clipboard.
- Click Select from Existing Logs, select a log event, and click OK. You can select different time ranges to filter logs.
- Click Paste from Clipboard to paste the copied log content to the Log Example box.
- A regular expression can be automatically generated or manually entered under Regular Expression of the First Line. The regular expression of the first line must match the entire first line, not just the beginning of the first line.
Figure 3 Regular expression of the first line
- Enable Log Filtering (disabled by default) as required and add a maximum of 20 whitelist or blacklist rules.
Figure 4 Log filtering rules
- Add a whitelist rule (available only when Log Filtering is enabled).
You can add filtering rules to retain valuable log data by applying regular expressions to the values of specified keys. A filtering rule acts as a matching criterion, collecting and reporting only logs that match the specified regular expression.
- Click Add and enter a key and filtering rule (regular expression). In single-line and multi-line full-text modes, content is used as the key name {key} of the full text by default. The relationship between multiple filtering rules is OR. For example, to collect log events containing hello from the log source file, set the filtering rule to .*hello.*.
- Click in the Operation column, enter a field value, and click Verify to verify the rule.
Figure 5 Verification
- Add a blacklist rule (available only when Log Filtering is enabled).
You can add filtering rules to retain valuable log data by applying regular expressions to the values of specified keys. A filtering rule acts as a discarding criterion, discarding logs that match the specified regular expression.
- Click Add and enter a key and filtering rule (regular expression). In single-line and multi-line full-text modes, content is used as the key name {key} of the full text by default. The relationship between multiple filtering rules is OR. For example, if you do not want to collect log events containing test from the log source file, set the filtering rule to .*test.*.
- Click in the Operation column, enter a field value, and click Verify to verify the rule.
- Add a whitelist rule (available only when Log Filtering is enabled).
JSON
This option is applicable to JSON logs and splits them into key-value pairs.
- Choose JSON.
- Enable Log Filtering (disabled by default) as required and add a maximum of 20 whitelist or blacklist rules.
Figure 6 Log filtering rules
- Add a whitelist rule (available only when Log Filtering is enabled).
You can add filtering rules to retain valuable log data by applying regular expressions to the values of specified keys. A filtering rule acts as a matching criterion, collecting and reporting only logs that match the specified regular expression.
- Click Add and enter a key and filtering rule (regular expression). A key is a log field name. The relationship between multiple filtering rules is OR. For example, to collect log events containing hello from the log source file, set the filtering rule to .*hello.*.
- Click in the Operation column, enter a field value, and click Verify to verify the rule.
Figure 7 Verification
- Add a blacklist rule (available only when Log Filtering is enabled).
You can add filtering rules to retain valuable log data by applying regular expressions to the values of specified keys. A filtering rule acts as a discarding criterion, discarding logs that match the specified regular expression.
- Click Add and enter a key and filtering rule (regular expression). A key is a log field name. The relationship between multiple filtering rules is OR. For example, if you do not want to collect log events containing test from the log source file, set the filtering rule to .*test.*.
- Click in the Operation column, enter a field value, and click Verify to verify the rule.
- Add a whitelist rule (available only when Log Filtering is enabled).
- Raw Log Upload:
After this function is enabled, raw logs are uploaded to LTS as the value of the content field.
- Upload Parsing Failure Log:
After this function is enabled, raw logs are uploaded to LTS as the value of the _content_parse_fail_ field.
- Custom Time:
Enabling this lets you specify a field as the log time. Otherwise, the time set during ingestion configuration is used.
- JSON Parsing Layers: Add 1 to 4 JSON parsing layers. The value must be an integer and is 1 by default.
This function expands the fields of a JSON log. For example, for raw log {"key1":{"key2":"value"}}, if you choose to parse it into 1 layer, the log will become {"key1":{"key2":"value"}}; if you choose to parse it into 2 layers, the log will become {"key1.key2":"value"}.
Delimiter
Logs can be parsed by delimiters, such as commas (,), spaces, or other special characters.
- Select a delimiter.
- Select or customize a delimiter.
- Select a log example from existing logs or paste it from the clipboard, click Verify, and view the results under Extraction Results.
- Click Select from Existing Logs, select a log event, and click OK. You can select different time ranges to filter logs.
- Click Paste from Clipboard to paste the copied log content to the Log Example box.
Figure 8 Delimiter
- Enable Log Filtering (disabled by default) as required and add a maximum of 20 whitelist or blacklist rules.
Figure 9 Log filtering rules
- Add a whitelist rule (available only when Log Filtering is enabled).
You can add filtering rules to retain valuable log data by applying regular expressions to the values of specified keys. A filtering rule acts as a matching criterion, collecting and reporting only logs that match the specified regular expression.
- Click Add and enter a key and filtering rule (regular expression). A key is a log field name. The relationship between multiple filtering rules is OR. For example, to collect log events containing hello from the log source file, set the filtering rule to .*hello.*.
- Click in the Operation column, enter a field value, and click Verify to verify the rule.
Figure 10 Verification
- Add a blacklist rule (available only when Log Filtering is enabled).
You can add filtering rules to retain valuable log data by applying regular expressions to the values of specified keys. A filtering rule acts as a discarding criterion, discarding logs that match the specified regular expression.
- Click Add and enter a key and filtering rule (regular expression). A key is a log field name. The relationship between multiple filtering rules is OR. For example, if you do not want to collect log events containing test from the log source file, set the filtering rule to .*test.*.
- Click in the Operation column, enter a field value, and click Verify to verify the rule.
- Add a whitelist rule (available only when Log Filtering is enabled).
- Raw Log Upload:
After this function is enabled, raw logs are uploaded to LTS as the value of the content field.
- Upload Parsing Failure Log:
After this function is enabled, raw logs are uploaded to LTS as the value of the _content_parse_fail_ field.
- Custom Time:
Enabling this lets you specify a field as the log time. Otherwise, the time set during ingestion configuration is used.
Single-Line - Completely Regular
This option is applicable to single-line logs in any format and uses a regular expression to extract fields.
- Select Single-Line - Completely Regular.
- Select a log example from existing logs or paste it from the clipboard.
- Click Select from Existing Logs, select a log event, and click OK. You can select different time ranges to filter logs.
- Click Paste from Clipboard to paste the copied log content to the Log Example box.
- Enter a regular expression for extracting the log under Extraction Regular Expression, click Verify, and view the results under Extraction Results.
Alternatively, click automatic generation of regular expressions. In the displayed dialog box, extract fields based on the log example, enter the key, and click OK to automatically generate a regular expression. Then, click OK.
Figure 11 Extracting a regular expression
- Enable Log Filtering (disabled by default) as required and add a maximum of 20 whitelist or blacklist rules.
Figure 12 Log filtering rules
- Add a whitelist rule (available only when Log Filtering is enabled).
You can add filtering rules to retain valuable log data by applying regular expressions to the values of specified keys. A filtering rule acts as a matching criterion, collecting and reporting only logs that match the specified regular expression.
- Click Add and enter a key and filtering rule (regular expression). A key is a log field name. The relationship between multiple filtering rules is OR. For example, to collect log events containing hello from the log source file, set the filtering rule to .*hello.*.
- Click in the Operation column, enter a field value, and click Verify to verify the rule.
Figure 13 Verification
- Add a blacklist rule (available only when Log Filtering is enabled).
You can add filtering rules to retain valuable log data by applying regular expressions to the values of specified keys. A filtering rule acts as a discarding criterion, discarding logs that match the specified regular expression.
- Click Add and enter a key and filtering rule (regular expression). A key is a log field name. The relationship between multiple filtering rules is OR. For example, if you do not want to collect log events containing test from the log source file, set the filtering rule to .*test.*.
- Click in the Operation column, enter a field value, and click Verify to verify the rule.
- Add a whitelist rule (available only when Log Filtering is enabled).
- Raw Log Upload:
After this function is enabled, raw logs are uploaded to LTS as the value of the content field.
- Upload Parsing Failure Log:
After this function is enabled, raw logs are uploaded to LTS as the value of the _content_parse_fail_ field.
- Custom Time:
Enabling this lets you specify a field as the log time. Otherwise, the time set during ingestion configuration is used.
Multi-Line - Completely Regular
This option is applicable to multi-line logs in any format and uses a regular expression to extract fields.
- Select Multi-Line - Completely Regular.
- Select a log example from existing logs or paste it from the clipboard.
- Click Select from Existing Logs, select a log event, and click OK. You can select different time ranges to filter logs.
- Click Paste from Clipboard to paste the copied log content to the Log Example box.
- A regular expression can be automatically generated or manually entered under Regular Expression of the First Line. The regular expression of the first line must match the entire first line, not just the beginning of the first line.
The regular expression of the first line is used to identify the beginning of a multi-line log. Example:
2024-10-11 10:59:07.000 a.log:1 level:warn no.1 log 2024-10-11 10:59:17.000 a.log:2 level:warn no.2 log
Complete lines:
2024-10-11 10:59:07.000 a.log:1 level:warn no.1 log
First line:
2024-10-11 10:59:07.000 a.log:1 level:warn
Example of the regular expression of the first line: ^(\d+-\d+-\d+\s+\d+:\d+:\d+\.\d+). The date in each first line is unique. Therefore, the regular expression in the first line can be generated based on the date.
- Enter a regular expression for extracting the log under Extraction Regular Expression, click Verify, and view the results under Extraction Results.
Alternatively, click automatic generation of regular expressions. In the displayed dialog box, extract fields based on the log example, enter the key, and click OK to automatically generate a regular expression. Then, click OK.
The extraction result is the execution result of the extraction regular expression instead of the first line regular expression. To check the execution result of the first line regular expression, go to the target log stream.
If you enter an incorrect regular expression for Regular Expression of the First Line, you cannot view the reported log stream data.
Figure 14 Setting a regular expression
- Enable Log Filtering (disabled by default) as required and add a maximum of 20 whitelist or blacklist rules.
Figure 15 Log filtering rules
- Add a whitelist rule (available only when Log Filtering is enabled).
You can add filtering rules to retain valuable log data by applying regular expressions to the values of specified keys. A filtering rule acts as a matching criterion, collecting and reporting only logs that match the specified regular expression.
- Click Add and enter a key and filtering rule (regular expression). A key is a log field name. The relationship between multiple filtering rules is OR. For example, to collect log events containing hello from the log source file, set the filtering rule to .*hello.*.
- Click in the Operation column, enter a field value, and click Verify to verify the rule.
Figure 16 Verification
- Add a blacklist rule (available only when Log Filtering is enabled).
You can add filtering rules to retain valuable log data by applying regular expressions to the values of specified keys. A filtering rule acts as a discarding criterion, discarding logs that match the specified regular expression.
- Click Add and enter a key and filtering rule (regular expression). A key is a log field name. The relationship between multiple filtering rules is OR. For example, if you do not want to collect log events containing test from the log source file, set the filtering rule to .*test.*.
- Click in the Operation column, enter a field value, and click Verify to verify the rule.
- Add a whitelist rule (available only when Log Filtering is enabled).
- Raw Log Upload:
After this function is enabled, raw logs are uploaded to LTS as the value of the content field.
- Upload Parsing Failure Log:
After this function is enabled, raw logs are uploaded to LTS as the value of the _content_parse_fail_ field.
- Custom Time:
Enabling this lets you specify a field as the log time. Otherwise, the time set during ingestion configuration is used.
Combined Parsing
This option is applicable to logs in multiple nested formats, for example, JSON logs with delimiters. You can customize parsing rules based on the syntax.
- Select Combined Parsing.
- Select a log example from existing logs or paste it from the clipboard and enter the configuration content under Plug-in Settings.
- Customize the settings based on the log content by referring to the following plug-in syntaxes.
- processor_regex
Table 1 Regular expression extraction Parameter
Type
Description
source_key
string
Original field name.
regex
string
() in a regular expression indicates the field to be extracted.
keys
string
Field name for the extracted content.
keep_source
boolean
Whether to retain the original field.
keep_source_if_parse
boolean
Whether to retain the original field when a parsing error occurs.
- processor_split_string
Table 2 Parsing using delimiters Parameter
Type
Description
source_key
string
Original field name.
split_sep
string
Delimiter string.
keys
string
Field name for the extracted content.
keep_source
boolean
Whether to retain the original field in the parsed log.
split_type
char/special_char/string
Delimiter type. The options are char (single character), special_char (invisible character), and string.
keep_source_if_parse_error
boolean
Whether to retain the original field when a parsing error occurs.
- processor_split_key_value
Table 3 Key-value pair segmentation Parameter
Type
Description
source_key
string
Original field name.
split_sep
string
Delimiter between key-value pairs. The default value is the tab character (\t).
expand_connector
string
Delimiter between the key and value in a key-value pair. The default value is a colon (:).
keep_source
boolean
Whether to retain the original field in the parsed log.
- processor_add_fields
Table 4 Adding a field Parameter
Type
Description
fields
json/object
Name and value of the field to be added. The field is in key-value pair format. Multiple key-value pairs can be added.
- processor_drop
Table 5 Discarded fields Parameter
Type
Description
drop_keys
string
List of discarded fields.
- processor_rename
Table 6 Renaming a field Parameter
Type
Description
source_keys
string
Original name.
destkeys
string
New name.
- processor_json
Table 7 JSON expansion and extraction Parameter
Type
Description
source_key
string
Original field name.
keep_source
string
Whether to retain the original field in the parsed log.
expand_depth
int
JSON expansion depth. The default value 0 indicates that the depth is not limited. Other numbers, such as 1, indicate the current level.
expand_connector
string
Connector for expanding JSON. The default value is an underscore (_).
prefix
string
Prefix added to a field name when JSON is expanded.
keep_source_if_parse_error
boolean
Whether to retain the original field when a parsing error occurs.
- processor_filter_regex
Table 8 Filters Parameter
Type
Description
include
json/object
The key indicates the log field, and the value indicates the regular expression to be matched.
exclude
json/object
The key indicates the log field, and the value indicates the regular expression to be matched.
- processor_gotime
Table 9 Extraction time Parameter
Type
Description
source_key
string
Original field name.
source_format
string
Original time format.
source_location
int
Original time zone. If the value is empty, it indicates the time zone of the host or container where the logtail is located.
dest_key
string
Target field after parsing.
dest_format
string
Time format after parsing.
dest_location
int
Time zone after parsing. If this parameter is left blank, the time zone of the local host is used.
set_time
boolean
Whether to set the parsed time as the log time.
keep_source
boolean
Whether to retain the original field in the parsed log.
- processor_regex
- Example:
[ { "type": "processor_regex", "detail": { "source_key": "content", "regex": "*", "keys": [ "key1", "key2" ], "multi_line_regex": "*", "keep_source": true, "keep_source_if_parse_error": true } }, { "type": "processor_split_string", "detail": { "split_sep": ".", "split_type": ".", "split_keys": [ "key1", "key2" ], "source_key": "context", "keep_source": true, "keep_source_if_parse_error": true } }, { "type": "processor_add_fields", "detail": { "fields": [ { "key1": "value1" }, { "key2": "value2" } ] } }, { "type": "processor_drop", "detail": { "drop_keys": [ "key1", "key2" ] } }, { "type": "processor_rename", "detail": { "source_key": [ "skey1", "skey2" ], "dest_keys": [ "dkey1", "dkey2" ] } }, { "type": "processor_json", "detail": { "source_key": "context", "expand_depth": 4, "expand_connector": "_", "prefix": "prefix", "keep_source": true, "keep_source_if_parse_error": true } }, { "type": "processor_gotime", "detail": { "source_key": "skey", "source_format": "ydm", "source_location": 8, "dest_key": "dkey", "dest_format": "ydm", "dest_location": 8, "set_time": true, "keep_source": true, "keep_source_if_parse_error": true } }, { "type": "processor_filter_regex", "detail": { "include": { "ikey1": "*", "ikey2": "*" }, "exclude": { "ekey1": "*", "ekey1": "*" } } } ]
Custom Time
Enable Custom Time and set parameters by referring to Table 10.
- If the time format is incorrect or the specified field does not exist, the log time is the time set during ingestion configuration.
- The time field needs to be verified again when operations such as field name modification, field deletion, and field type modification are performed on structuring parsing.
Parameter |
Description |
Example |
---|---|---|
Key Name of the Time Field |
Name of an extracted field. You can select an extracted field from the drop-down list. The field is of the string or long type. |
test |
Field Value |
Value of an extracted field. After a Key is selected, the Value is automatically filled in.
NOTE:
The value of the field must be within 24 hours earlier or later than the current time. |
2023-07-19 12:12:00 |
Time Format |
For details, see Common Log Time Formats. |
yyyy-MM-dd HH:mm:ss |
Operation |
Click the verification icon (). If message The time format is successfully matched with the time field value. is displayed, the verification is successful. |
- |
Common Log Time Formats
Table 11 lists common log time formats.
By default, log timestamps in LTS are accurate to seconds. You do not need to configure information such as milliseconds and microseconds.
Format |
Description |
Example |
---|---|---|
EEE |
Abbreviation for Week. |
Fri |
EEEE |
Full name for Week. |
Friday |
MMM |
Abbreviation for Month. |
Jan |
MMMM |
Full name for Month. |
January |
dd |
Number of the day in a month, ranging from 01 to 31 (decimal). |
07, 31 |
HH |
Hour, in 24-hour format. |
22 |
hh |
Hour, in 12-hour format. |
11 |
MM |
Number of the month, ranging from 01 to 12 (decimal). |
08 |
mm |
Number of the minute, ranging from 00 to 59 (decimal). |
59 |
a |
AM or PM |
AM, PM |
hh:mm:ss a |
Time in the 12-hour format. |
11:59:59 AM |
HH:mm |
Hour and minute format. |
23:59 |
ss |
Number of the second, ranging from 00 to 59 (decimal). |
59 |
yy |
Year without century, ranging from 00 to 99 (decimal). |
04, 98 |
yyyy |
Year (decimal). |
2004, 1998 |
d |
Number of the day in a month, ranging from 1 to 31 (decimal). If the value is a single-digit number, add a space before the value. |
7, 31 |
DDD |
Number of the day in a year, ranging from 001 to 366 (decimal). |
365 |
u |
Number of the day in a week, ranging from 1 to 7 (decimal). The value 1 indicates Monday. |
2 |
w |
Number of the week in a year. Sunday is the start of a week. The value ranges from 00 to 53. |
23 |
w |
Number of the week in a year. Monday is the start of a week. The value ranges from 01 to 53. A week is the first week of a month if it has at least four days in that month; otherwise, the following week is the first week. |
24 |
U |
Number of the day in a week, ranging from 0 to 6 (decimal). The value 0 indicates Sunday. |
5 |
EEE MMM dd HH:mm:ss yyyy |
Standard date and time. |
Tue Nov 20 14:12:58 2020 |
EEE MMM dd yyyy |
Standard date without time. |
Tue Nov 20 2020 |
HH:mm:ss |
Standard time without date. |
11:59:59 |
%s |
UNIX Timestamp. |
147618725 |
Feedback
Was this page helpful?
Provide feedbackThank you very much for your feedback. We will continue working to improve the documentation.See the reply and handling status in My Cloud VOC.
For any further questions, feel free to contact us through the chatbot.
Chatbot