Collect DSV formatted logs

Background information

DSV formatted logs use line breaks as boundaries. Each line is a log. The fields of each log are delimited by using single-character delimiters or multi-character delimiters. If a field contains delimiters, you can enclose the field with a pair of quotes.

Commonly used DSV formatted logs include comma-separated values (CSV) and tab-separated values (TSV) formatted logs.

• Single-character delimiter

  The following examples list some log entries with single-character delimiters:

  05/May/2016:13:30:28,10.10. *. *,"POST /PutData? Category=YunOsAccountOpLog&AccessKeyId=****************&Date=Fri%2C%2028%20Jun%202013%2006%3A53%3A30%20GMT&Topic=raw&Signature=******************************** HTTP/1.1",200,18204,aliyun-sdk-java
  05/May/2016:13:31:23,10.10. *. *,"POST /PutData? Category=YunOsAccountOpLog&AccessKeyId=****************&Date=Fri%2C%2028%20Jun%202013%2006%3A53%3A30%20GMT&Topic=raw&Signature=******************************** HTTP/1.1",401,23472,aliyun-sdk-java

  For the log entries with single-character delimiters, you must specify each delimiter. You can also use a pair of quotes in the log entry.

  • Delimiter: Available single-character delimiters include the tab (\t), vertical bar (|), space, comma (,), and semicolon (;). You can also specify a non-printable character as the delimiter. A double quotation mark (") cannot be used as the delimiter.

    However, a double quotation mark (") can be used as a quote. You can place the double quotation mark at the border of a field, or in the field. If a double quotation mark (") is included in a log field but is not used as a quote, it must be escaped as double quotation marks (""). When Log Service parses log fields, the double quotation marks ("") are automatically converted into a double quotation mark ("). For example, if you specify a comma (,) as the delimiter, and double quotation mark (") as the quote in a log field, you must enclose the field that contains commas by using a pair of quotes. In addition, you must escape the double quotation mark (") in the field to double quotation marks (""). The log format after processing is 1999,Chevy,"Venture ""Extended Edition, Very Large""","",5000.00. The log entry can be parsed into five fields: 1999, Chevy, Venture "Extended Edition, Very Large", an empty field, and 5000.00.

  • Quote: If a log field contains delimiters, you must specify a pair of quotes to enclose the field. Log Service parses the content that is enclosed in a pair of quotes into a new complete field.

    Available quotes include the tab (\t), vertical bar (|), space, comma (,), semicolon (;), and non-printable characters.

    For example, you specify a comma (,) as the delimiter, and double quotation mark (") as the quote in log fields. The log entry is 1997,Ford,E350,"ac, abs, moon",3000.00. Then the log entry can be parsed into five fields: 1997, Ford, E350, ac, abs, moon, 3000.00.

• Multi-character delimiter
  The following examples list some log entries with multi-character delimiters:

  05/May/2016:13:30:28&&10.200. **. **&&POST /PutData? Category=YunOsAccountOpLog&AccessKeyId=****************&Date=Fri%2C%2028%20Jun%202013%2006%3A53%3A30%20GMT&Topic=raw&Signature=pD12XYLmGxKQ%2Bmkd6x7hAgQ7b1c%3D HTTP/1.1&&200&&18204&&aliyun-sdk-java
  05/May/2016:13:31:23&&10.200. **. **&&POST /PutData? Category=YunOsAccountOpLog&AccessKeyId=****************&Date=Fri%2C%2028%20Jun%202013%2006%3A53%3A30%20GMT&Topic=raw&Signature=******************************** HTTP/1.1&&401&&23472&&aliyun-sdk-java

  A multi-character delimiter can contain two or three characters, such as | |, &&&, ^_^). Log Service parses log field based on delimiters. You do not need to use quotes to enclose the log field to be parsed.

  Note You must ensure that the delimiters in a field cannot be parsed into a new field. Otherwise, Log Service cannot parse the field as expected.

  For example, you specify && as the delimiter. The log entry 1997&&Ford&&E350&&ac&abs&moon&&3000.00 is parsed into the following five fields: 1997, Ford, E350, ac&abs&moon, 3000.00.

Procedure

1. Log on to the Log Service console.
2. In the Import Data section, select Delimiter Mode - Text Log.
3. In the Specify Logstore step, select the target project and Logstore, and click Next.
   You can also click Create Now to create a project and a Logstore. For more information, see Step 1: Create a project and a Logstore.
4. In the Create Machine Group step, create a machine group.
   • If a machine group is available, click Using Existing Machine Groups.
   • If no machine group is available, perform the following steps. The following steps take ECS instances as an example to describe how to create a machine group:
     1. Click the ECS Instances tab. On the tab, select the ECS instances that you want to add to a machine group and then click Install.

        If Logtail is installed on the ECS instances, click Complete Installation.

        Note

        • If the ECS instances run Linux, click Install and Logtail is automatically installed on the ECS instances.
        • If the ECS instances run Windows, you must manually install Logtail on the ECS instances. For more information, see Install Logtail in Windows.
        • If you want to collect logs from a user-created cluster, you must manually install Logtail on the servers in the cluster. For more information, see Install Logtail in Linux or Install Logtail in Windows.
     2. After the installation is completed, click Complete Installation.
     3. On the page that appears, set relevant parameters for the machine group. For more information, see Create an IP address-based machine group or Create a custom ID-based machine group.
5. In the Machine Group Settings step, apply Logtail configurations to the machine group.
   Select the created machine group and move the group from Source Machine Groups to Applied Machine Groups.
6. In the Logtail Config step, create a Logtail configuration file.

   Parameter	Description
   Config Name	The name of the Logtail configuration file. The name cannot be modified after the Logtail configuration file is created. You can also click Import Other Configuration to import a Logtail configuration file from another project.
   Log Path	The directory and names of log files. The specified log file names can be complete file names or file names that contain wildcards. For more information about wildcards that can be used in patterns of directory and file names, visit Wildcard matching. The log files in all levels of subdirectories under the specified directory that match the specified pattern are monitored. Examples: /apsara/nuwa/ ... /*.log indicates the files whose extension is .log in the /apsara/nuwa directory and its subdirectories are monitored. /var/logs/app_* ... /*.log* indicates each file that meets the following conditions is monitored: The file name contains .log. The file is stored in a subdirectory (at any level) of the /var/logs directory. The name of the subdirectory matches the app_* pattern. Note A log file can be collected by using only one Logtail configuration file. You can include only asterisks (*) and question marks (?) as wildcard characters in the log path.
   Docker File	If you collect log data from Docker containers, you can specify the internal paths and labels of containers. Then Logtail monitors the creation and destruction of the containers, filters logs of the containers based on labels, and collects the filtered logs. For more information, see Use the console to collect Kubernetes text logs in the DaemonSet mode.
   Blacklist	If you turn on this switch, you can configure a blacklist in the Add Blacklist section. You can configure a blacklist to skip the specified directories or files during log data collection. The blacklist supports exact match and wildcard match for directory names and file names. Examples: If you select Filter by Directory from the Filter Type drop-down list and enter /tmp/mydir in the Content column, all files in the directory are skipped. If you select Filter by File from the Filter Type drop-down list and enter /tmp/mydir/file in the Content column, only the specified file in the directory are skipped.
   Mode	By default, Delimiter Mode is selected. For information about other modes, see Overview.
   Log Sample	Enter a sample log entry. The delimiter mode is only applicable to the collection of single-line logs.
   Delimiter	Select the appropriate delimiter based on the log format. Otherwise, Log Service may fail to parse logs. Note If you select Hidden Characters as the delimiter, you must enter the character in the following format: 0xthe hexadecimal ASCII code of the non-printable character. For example, to use the non-printable character whose hexadecimal ASCII code is 01, you must enter 0x01.
   Quote	Select a quote based on the log format. Otherwise, Log Service may fail to parse logs. Note If you select Hidden Characters as the quote, you must enter this character in the following format: 0xthe hexadecimal ASCII code of the non-printable character. For example, to use the non-printable character whose hexadecimal ASCII code is 01, you must enter 0x01.
   Extracted Content	Log Service extracts the log content based on the specified sample log entry and delimiter. The extracted log content is delimited into values. You must specify a key for each value.
   Incomplete Entry Upload	Specifies whether to upload a log entry whose number of parsed fields is less than the number of the specified keys. If you turn on this switch, the log entry is uploaded. If you turn off this switch, the log entry is dropped. For example, if you set the delimiter to the vertical bar (|), the log entry 11|22|33|44|55 is parsed into the following fields: 11, 22, 33, 44, and 55. You can set the keys to A, B, C, D, and E, respectively. If you turn on the Incomplete Entry Upload switch, 55 is uploaded as the value of the D key when Log Service collects the log entry 11|22|33|55. If you turn off the Incomplete Entry Upload switch, Log Service drops the log entry because the fields and keys do not match.
   Use System Time	If you turn on the Use System Time switch, the timestamp of a log entry is the system time of the server when the log entry is collected. If you turn off the Use System Time switch, you must find the value that indicates time information in the Extracted Content and configure a key named time for the value. Specify the value and then click Auto Generate in the Time Conversion Format field to automatically parse the time. For more information, see Time formats.
   Drop Failed to Parse Logs	If you turn on the Drop Failed to Parse Logs switch, logs that fail to be parsed cannot be uploaded to Log Service. If you turn off the Drop Failed to Parse Logs switch, raw logs are uploaded when the raw logs fail to be parsed.
   Maximum Directory Monitoring Depth	The maximum depth at which the log directory is monitored. Valid values: 0 to 1000. The value 0 indicates that only the directory specified in the log path is monitored.

   Specify Advanced Options based on your business requirements. We recommend that you do not modify the default settings unless otherwise required.

   Parameter	Description
   Enable Plug-in Processing	Specifies whether to use plug-ins for Logtail to process logs. If you turn on the switch, plug-ins are used to process logs.
   Upload Raw Log	If you turn on this switch, raw logs are written to the __raw__ field and uploaded with the parsed logs.
   Topic Generation Mode	Null - Do not generate topic: This mode is selected by default. In this mode, the topic field is set to an empty string and you can query logs without the need to enter a topic. Machine Group Topic Attributes: This mode is used to differentiate log data that is generated by different servers. File Path Regex: If you select File Path Regex for Topic Generation Mode, you must configure a regular expression in the Custom RegEx field. The part of a log path that matches the regular expression is used as the topic name. This mode is used to differentiate log data that is generated by different users or ECS instances.
   Log File Encoding	utf8: indicates UTF-8 encoding. gbk: indicates GBK encoding.
   Timezone	The time zone where logs are collected. System Timezone: This option is selected by default. It indicates that the time zone where logs are collected is the same as the time zone to which the server belongs. Custom: Select a time zone.
   Timeout	If a log file is not updated within the specified period of time, Logtail considers the file to be timed out. Never: All log files are continuously monitored and never time out. 30 Minute Timeout: If a log file is not updated within 30 minutes, Logtail considers the log file to be timed out and no longer monitors the file. If you select 30 Minute Timeout, you must set Maximum Timeout Directory Depth. Valid values: 1 to 3.
   Filter Configuration	Specifies to collect logs that match the filtering conditions. Examples: If you want to collect only the logs with the severity level of WARNING or ERROR, set the condition Key:level Regex:WARNING|ERROR. It indicates that logs with the severity level of WARNING or ERROR are collected. Filter logs that do not meet a condition: Set the condition to Key:level Regex:^(?!. *(INFO|DEBUG)). * if you want to filter out the logs with the severity level of INFO or DEBUG. Set the condition to Key:url Regex:. *^(?!.*(healthcheck)). * if you want to filter out the logs whose URL contains the keyword healthcheck. For example, logs in which the value of the url key is /inner/healthcheck/jiankong.html are not collected. For more examples, see regex-exclude-word and regex-exclude-pattern.

7. In the Configure Query and Analysis step, set indexes.
   Indexes are configured by default. You can reconfigure the indexes as needed. For more information, see Enable and configure the index feature for a Logstore.

   Note

   • You must set Full Text Index or Field Search. If you set both of them, the settings of Field Search prevail.
   • If the data type of an index is Long or Double, the Case Sensitive and Delimiter settings are unavailable.

After all configurations are completed, Log Service starts to collect logs.